Q:Does my business have to comply with the Health Insurance Portability and Accountability Act (HIPAA) even though we do no provide health care?
A:. Recent changes to HIPAA greatly expanded the scope of privacy and security protections and directly applied certain HIPAA provisions to entities defined as "business associates."
Under what is known as the HITECH Act, you may qualify as a "business associate" if your business performs activities or services involving the use or disclosure of protected health information. Although this list is far from exhaustive, common types of "business associates" are those businesses that provide legal services, data collection/analysis, billing, benefit management, accounting, and consulting services.
The law requires that "business associates" have a business associate agreement with the health care provider for whom services are provided. The contract must include certain elements specifically defined by federal regulation.
"Business associates" may incur civil money penalties for violations of certain HIPAA privacy and security rules based on their own acts or omissions or potentially acts or omissions by their agents. If you are, or may be, a "business associate," you should consult with an attorney experienced in this area of the law to ensure your compliance with applicable laws.
Courtney Garcea is an attorney with the law firm of Lukins & Annis, P.S. where her practice includes business, health care, and employment litigation and consultation.
Published in the Journal of Business September 10th 2015