Business Associates Liable for Breach

Saturday, August 21, 2010

Jack Anderson


Finally we are seeing privacy and security experts agreeing that if you signed a BA agreement you must be compliant with the terms of that agreement, now.

Here is more from this important blog:

New standards imposed on business associates and their partners.

Guest commentary from Daniel F. Gottlieb, Bernadette M. Broccolo, Jennifer S. Geetter, Jerry Tichner, Jeanna Palmer Gunville, Sarah S. Nelson, Edward G. Zacharias and Stephen W. Bernstein, attorneys in the Health Industry Advisory Practice Group of global law firm McDermott, Will & Emery, LLP

[Editor's note: Due to its length, this guest commentary will be presented in a series of three blog posts on consecutive days. Part 1 appears below.]

On July 14, 2010, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS), issued a proposed rule (Proposed Rule) containing modifications to the privacy standards (Privacy Rule), security standards (Security Rule) and enforcement regulations (Enforcement Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The proposed modifications include changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and other changes deemed appropriate by OCR in order to strengthen the privacy and security of health information and to improve the "workability and effectiveness" of the Privacy Rule, Security Rule and Enforcement Rule (collectively, the Administrative Simplification Regulations).

OCR is accepting comments on the Proposed Rule through Sept. 13, 2010. Covered entities, business associates and others affected by the Administrative Simplification Regulations should consider submitting comments to OCR in order to shape the final rule. The Proposed Rule indicates that final amendments to the Administrative Simplification Regulations will be effective 180 days after the publication of a final rule.

However, covered entities and business associates that have agreed to comply with HITECH Act requirements or other Administrative Simplification Regulation requirements through business associate agreements will continue to have contractual compliance obligations prior to the effective date.

Consequently, effective Feb. 18, 2010, the HITECH Act makes business associates both contractually liable to a covered entity for breach of the business associate agreement with the covered entity and civilly and criminally liable to the government for violations of those Security Rule requirements and the Privacy Rule's business associate agreement requirements.

Cross-posted from Comliance Helper

Possibly Related Articles:
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.