Understanding the “Chain of Liability” Under HIPAA and How Business Associate Agreements Allocate Risk and Protect Your Practice

By Kevin Lin

Business associate agreements bind entities with access to protected health information  (PHI) to HIPAA’s privacy and data security rules. The obligations of entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) can be thought of as links in a chain of liability.  At the highest level, HIPAA’s privacy rules apply to “covered entities,” such as health plan providers, clearinghouses, insurance carriers, and certain healthcare providers, which lie at the top of the chain. The HIPAA privacy rules require covered entities such as medical practices to implement comprehensive privacy and data safeguards to protect personal health information. These requirements generally fall into three categories: (i) administrative safeguards, such as requiring ongoing risk assessments to identify potential vulnerabilities and risks; (ii) physical safeguards, such as requiring physical measures to prevent unauthorized access and protect against environmental hazards; and (iii) technical safeguards, such as requiring technical controls to ensure data security.

Continue reading

Health System $2.4M Settlement for Privacy Violations Highlights the Need to Understand Permitted Disclosures Under HIPAA

By Jared L. Shwartz

The Department of Health and Human Services Office for Civil Rights (OCR) investigated a record-number of alleged HIPAA violations in 2016.  A recent settlement between OCR and a health system in the State of Texas reflects that OCR investigations and enforcement actions will continue at high-volume through 2017, and serves as an example of the liabilities associated with unintended (yet impermissible) disclosures prohibited under HIPAA.

Continue reading