Legal: Review your HIPAA policies

A. The Department of Health and Human Services (HHS) announced in November 2011 that they would be undertaking a HIPAA Privacy and Security audit program in which the agency would be reviewing HIPAA compliance of up to 150 entities. With this in mind, it is a particularly good time to review your company's HIPAA policies.

In addition to regulating how suppliers interact with protected health information (PHI), the HIPAA rules require suppliers to ensure their "business associates" also protect the privacy and security of the customer's PHI. "Business associates" are people or entities, other than the supplier's employees, that perform services for the supplier that involve the use or disclosure of individually identifiable health information.

Under the Breach Notification rule, a supplier's obligations arise if a breach is discovered, whether by the supplier or a business associate. A breach exists when unsecured PHI is used or disclosed in violation of the HIPAA privacy rule and that use or disclosure compromises the privacy or security of the PHI. Privacy and security are considered compromised if the use or disclosure poses a significant risk of financial, reputational or other harm to the individual.

Business associates must notify a supplier no later than 60 days after discovery of a breach of unsecured protected health information. Once a breach is discovered, the supplier must then notify each individual whose information has been, or is reasonably believed to have been, breached in accordance with technical specifications provided in the rule. In some cases where larger numbers of individuals are affected, notification of the media and HHS may also be required.

For examples of business associate agreements and additional information on HIPAA compliance: www.hhs.gov/ocr/privacy.

Katie Salsbury is an attorney with Eastwood & Azia. Reach her at ksalsbury@eastwood-azia.com or 202-296-7775.