Enforcement Actions on the Rise: Is Your Business a ‘Business Associate’ With Obligations Under HIPAA?


Jenna Bickford is a partner in the Business Transactions Group of MacDonald Illig Attorneys. She represents clients across a number of practice areas, including business transactions, real estate, government services and public finance, and health care.

The U.S. Department of Health and Human Services, Office of Civil Rights, conducted 17,694 investigations under HIPAA (Health Insurance Portability and Accountability Act of 1996) in 2015, up from 5,393 just 10 years earlier. In addition, fines imposed in 2016 increased 300 percent from the prior year. With enforcement actions, including onsite audits, on the rise, it is important for businesses that interact with health-care organizations to know if they have obligations under HIPAA.

Rules and Regulations
HIPAA’s “Privacy Rule” sets forth rules for the use and disclosure of “Protected Health Information” or “PHI.” PHI is personally identifiable information related to a person’s physical or mental health, provision of health care to the person or payment for such care. HIPAA’s “Security Rule” requires certain safeguards be implemented in order to protect the security of PHI stored or transmitted electronically.

While HIPAA is commonly understood to apply to health-care providers, its provisions actually have a broader reach. HIPAA applies to “Covered Entities,” which include certain health-care providers, health plans and health-care clearinghouses. In addition, the HITECH Act of 2009 expanded certain HIPAA requirements to “Business Associates.” A Business Associate is any person or entity that performs services, functions or activities for a Covered Entity and receives PHI in order to do so.

Businesses such as information technology companies, data analysts, billing companies, consultants, attorneys, accountants, and others may be Business Associates with obligations under HIPAA.

Some key obligations of Business Associates include:

  • Having a “Business Associate Agreement” in place that governs the obligations of the Business Associate with respect to PHI it receives from the Covered Entity.
  • Implementing certain administrative, technical and physical safeguards to protect PHI the Business Associate receives from the Covered Entity.
  • Reporting certain impermissible uses and disclosures of PHI to the Covered Entity.
  • If you or your business performs services, functions or activities for a Covered Entity, it is critical that you analyze whether you are a Business Associate with obligations under HIPAA.

    If you need assistance with HIPAA compliance, please contact Jenna Bickford at 814/877-7762 or or any other member of MacDonald, Illig, Jones & Britton’s health-care group.