Shield Your Practice from Business Associates’ HIPAA Faults

September 17, 2012 – In The News
DecisionHealth Medical Practice Compliance Alert
Sometimes even the most compliant physician practices end up liable for HIPAA violations caused by their business associates’ handling patient information on the practice’s behalf. This held true for Accretive Health as it recently agreed to pay the state of Minnesota $2.5 million after an employee stole thousands of files that were filled with patient data.

Michael Kline and Elizabeth Litten, both partners and members of the firm’s Health Law department, believe that physician practices can take certain steps to prevent HIPAA violations.

Kline told a recent DecisionHealth Medical Health Compliance Alert that employers should have written business associate agreements that protect the practice. However, Kline warned that these agreements “are not one-size-fits-all documents,” and that the agreements should reflect the relationship between the covered entity and the business associate. “Spell out how the business associate will protect your patients’ information … and who will pay to handle the fallout,” said Kline.

Litten told DecisionHealth that it is important for hospitals to reassess their own conduct as well. In the case of Accretive, Litten believes that the hospitals were also to blame for HIPAA violations. “The hospitals were cavalier about the access given to information. Diagnoses aren’t relevant [to bill collecting],” said Litten.