HIPAA Changes in the HITECH Act of 2009: Application of Privacy Provisions and Penalties to Business Associates


House bill Sec. 4404

Senate bill Sec. 13404
Conference agreement Sec. 13404

This text is from the Conference Committee Report

Current Law

The Privacy Rule promulgated pursuant to HIPAA permits a
covered entity to disclose health information to a business
associate or to allow a business associate to create or
receive health information on its behalf, provided the
covered entity receives satisfactory assurance in the form of
a written contract that the business associate will
appropriately safeguard the information.

Violations cannot be enforced directly against business
associates. Although covered entities are not liable for, or
required to monitor, the actions of their business
associates, if it finds out about a material breach or
violation of the contract by a business associate, it must
take reasonable steps to remedy the situation, and, if
unsuccessful, terminate the contract. If termination is not
feasible, the covered entity must notify HHS.

House Bill

The House bill would apply the HIPAA Privacy Rule, the
additional privacy requirements, and the civil and criminal
penalties for violating those standards to business
associates in the same manner as they apply to the providers
and health plans for whom they are working.

Senate Bill

Same provision.

Conference Agreement

Same provision.

 

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.