Do Your Contracts With Third Parties Comply With Regulations?

If your company qualifies as a covered entity under the Health Insurance Portability and Accountability Act (“HIPAA”) and does not comply with regulations required for contracting with 3rd parties, your company may be on the hook. Similarly, if your company acts as a 3rd party for a HIPAA covered entity and your contract is not in compliance, the covered entity may terminate your contract.

Under HIPAA, HIPAA covered entities (health care providers, insurers, and health plans) are required to maintain the privacy of confidential health information. However, many of these HIPAA covered entities hire third parties to perform various services, such as billing, benefit management, practice management, claims processing, quality assurance, and data analysis. Through this practice, many third parties have access to protected health information.

To ensure the confidentiality of protected health information, HIPAA has created rules that allow HIPAA covered entities to disclose protected health information to some third parties under certain circumstances. HIPAA defines these 3rd parties as “business associates”, meaning a person or entity that works for, or provides services to, a HIPAA covered entity.

HIPAA covered entities are allowed to disclose protected health information to 3rd party business associates if the covered entity obtains written satisfactory assurances from the 3rd party that the 3rd party will use the information only for proper purposes as well as having the 3rd party agree to safeguard protected health information from misuse. Proper purposes are purposes in connection with the work that the 3rd party has been hired to perform. The 3rd party must comply with many of the HIPAA covered entity’s duties under HIPAA.

Sample contracts that HIPAA covered entities can use with 3rd parties can be obtained from the US Department of Health and Human Services. These contracts are required to specifically state the authorized uses of protected health information, as well as state the limits to disclosure. Although contracts with 3rd parties are required to contain explicit statements providing safeguards of confidential information, HIPAA covered entities are not required to monitor 3rd parties. Should a covered entity become aware of any violations of HIPAA, the covered entity must take steps to remediate the violation, or terminate the contract.

If you have need help ensuring that your business complies with federal and state regulations, or need assistance preparing contracts, please contact Waltz, Palmer & Dawson, LLC at (847)253-8800.