The Health Insurance Portability and Accountability Act (HIPAA) and its regulations set the standard for how organizations safeguard “protected health information” (PHI).  HIPAA’s Privacy Rule establishes national standards to protect individuals’ medical records and other PHI. 

The Privacy Rule applies to “covered entities,” defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the Department for Health and Human Services (HHS) has adopted standards.  Some examples of covered entities include hospitals, physicians, and other health care providers.

The Privacy Rule also protects PHI when it is created or maintained by a person or entity conducting certain functions on behalf of a covered entity.  These entities are called “business associates.”  Before the covered entity discloses PHI to the business associate, the covered entity must obtain satisfactory assurances that the business associate will appropriately safeguard the PHI.  HIPAA requires a covered entity to enter into a written contract, known as a Business Associate Agreement, with its business associates.

The attorneys at Gess Mattingly & Atchison have worked with a number of covered entities and business associates, and have experience preparing and reviewing Business Associate Agreements.  The firm’s attorneys can also provide guidance to companies who want to expand their business to handle PHI and need assistance navigating HIPAA issues.  Call (859) 252-9000 to schedule a consultation with one of the firm’s health care law attorneys or visit the firm’s website for more information.