South Florida Hospital News
Saturday October 31, 2020

test 2

June 2010 - Volume 6 - Issue 12

Overlooked “Business Associates” Under the HITECH Act

The Health Insurance Portability and Accountability Act of 1996, (HIPAA) imposed privacy and security standards for patients’ protected health information (“PHI”) handled by healthcare providers and others (“Covered Entities”). More recently, the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), adopted as part of the 2009 federal stimulus bill, new requirements on entities (“Business Associates”) that conduct business with Covered Entities.

Under HIPAA, those who come into possession of PHI as part of their services to Covered Entities are required to enter into “Business Associate Agreements” with the Covered Entities. These Agreements set forth the obligations of the business associate to protect PHI, and in many cases provide for contractual liability to the Covered Entities in the event of a data security breach or other violation of HIPAA. Basically, any person or entity that handles individuals’ PHI in the course of its business is considered a “Business Associate” under HIPAA, whether or not it or the Covered Entities it deals with acknowledge that fact.
Overlooked examples of Business Associates could be private equity and venture capital funds who may, in the course of conducting due diligence on investment and buy-out targets, have access to PHI. Other traps for even the careful arise when evaluating an acquisition target to amend an existing portfolio company. HITECH even applies to entities that deal only with other Business Associates, rather than directly with a Covered Entity, if they could come into possession of PHI. Any entity that comes into possession of PHI, even indirectly or temporarily, for example, in the course of conducting due diligence in connection with a proposed acquisition, financing or underwriting, could have legal responsibilities under HIPAA and the HITECH Act.
Monetary penalties for violations of HITECH can be in the millions of dollars. While most Covered Entities and Business Associates are aware of their legal responsibilities by now, others may have been overlooked.
Sharon Roberts is a former State of Florida, Department of Health Inspector, and is now a practicing healthcare law attorney and pharmacist in Palm Beach County, FL, who specializes in healthcare and regulatory law practice with the law firm of Strawn, Monaghan & Metzger, P.A. She can be reached at (561) 278-9400 or visit
Share |