Many people and entities that conduct business with healthcare entities are subject to newly effective federal regulations that expand the privacy and security requirements of HIPAA. Failure to comply could result in civil or criminal liability and large monetary penalties.
HIPAA, the Health Insurance Portability and Accountability Act of 1996, imposed privacy and security standards for individuals’ protected health information (“PHI”) in the hands of healthcare providers and others (“Covered Entities”). The Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), adopted as part of the 2009 federal stimulus bill, imposes new requirements on entities that conduct business with Covered Entities.
Under HIPAA, those who come into possession of PHI as part of their services to Covered Entities are required to enter into “Business Associate Agreements” with the Covered Entities. These Agreements set forth the obligations of the business associate to protect PHI, and in many cases provide for contractual liability to the Covered Entities in the event of a data security breach or other violation of HIPAA. Basically, any person or entity that handles individuals’ PHI in the course of its business is considered a “Business Associate” under HIPAA, whether or not it or the Covered Entities it deals with acknowledge that fact. For example, private equity and venture capital funds may become Business Associates in the course of conducting due diligence on investment and buy-out targets, as well as in the course of monitoring and managing their existing portfolio companies and their management teams. Other traps for even the wary arise when evaluating an acquisition target to bolt onto an existing portfolio company. However, many Business Associates have not complied with HIPAA, either out of ignorance of their responsibilities or because they would have had no direct liability to the federal government for HIPAA violations. This has now changed.
Effective February 17, 2010, the HITECH Act imposed expanded data privacy and security obligations on Business Associates, giving them potential direct civil and/or criminal liability to the federal government for their data breaches and other violations of HITECH. HITECH even applies to entities that deal only with other Business Associates, rather than directly with a Covered Entity, if they come into possession of PHI. HITECH sets forth detailed notification requirements that must be followed by a Business Associate that suffers a data breach or otherwise violates the HIPAA privacy or security rules.
Monetary penalties for violations of HITECH can be substantial -- in the millions of dollars. While most Covered Entities and Business Associates are aware of their legal responsibilities by now, others may not be. Any entity that comes into possession of PHI, even indirectly or temporarily (including, for example, in the course of conducting due diligence in connection with a proposed acquisition, financing or underwriting), should consult with an attorney to ensure that its legal responsibilities under HIPAA and the HITECH Act are being met.