HIPAA violations: Business associate agreements are not necessarily a shield

May 25, 2016

Blog Post

Healthcare providers should remember that a business associate agreement does not provide blanket protection for the provision of protected health information (PHI) to a business associate, or the use of that information by a business associate. The underlying disclosure and use of the PHI must also be permissible under HIPAA regulations, such as for treatment or payment purposes.

For example, if a sales representative of a healthcare provider wishes to have unlimited access to PHI (such as the medical records of the healthcare provider’s patients), it is highly unlikely that such unlimited access to PHI would be permissible under HIPAA. Signing a business associate agreement with the sales representative will not convert this situation into a permissible one, because the underlying disclosure and use of the PHI must comply with HIPAA.

Last week, the United States Supreme Court heard a case concerning publicly traded organizations' duties to report data breaches to investors. The Court's forthcoming ruling may expand publicly traded companies' obligations to report data security incidents to their investors.

McDonald Hopkins is proud to welcome Associate Hannah Jones to the firm’s Litigation Department and the national Data Privacy and Cybersecurity Practice Group.

McDonald Hopkins is proud to welcome four new associates to the firm, all of whom previously worked at the firm as clerks during their law school years. Their desire to officially start their legal careers at McDonald Hopkins underscores the commitment to being a destination for top-tier legal talent and, ultimately, a cultivator for that talent.

HIPAA violations: Business associate agreements are not necessarily a shield

Related Services

You may also be interested in