The recent Target Corp. data breach was a stark reminder for businesses to ensure that the proper safeguards are in place to protect the privacy and security of all electronic data. With reports of multiple lawsuits filed against the Fortune 500 company, businesses of all types are discussing procedures necessary to safeguard the privacy and security of electronic data from unauthorized access. Now direct your attention to a business working in the health care sector, where the federal government has enacted additional rules and regulations regarding the protection of protected health information, or PHI under the Health Insurance Portability and Accountability Act as amended.
On Jan. 25, 2013, the latest amendment to the HIPAA legislation was published which implemented changes enacted as part of the Health Information Technology for Economic and Clinical Health Act of 2009 in a Final Rule from the Department of Health and Human Services and HHS Office for Civil Rights final rule. Significant duties and responsibilities were imposed not only on health care providers, but also on the business associates and their subcontractors that assist the health care providers. Under the Final Rule, changes were made to (1) the definition of the business associate under HIPAA; (2) the amount of scrutiny to the business associate agreements under HIPAA; and (3) the liability of the business associates and subcontractors under HIPAA. Accordingly, it is important for businesses in the health care sector to reevaluate the policies and procedures implemented to protect the privacy and security of electronic PHI (“e-PHI”), especially since the federal government can impose hefty fines and criminal penalties for violations of the privacy laws.
