HIPAA Obligations of Business Associates

Author: Gerry M. Balboni

In connection with the launch of your hosted application service focused on practice and revenue cycle management, you have inquired as to your obligations under Health Insurance Portability and Accountability Act (“HIPAA”). As a provider of claims processing or administration services, data processing services, billing, and or practice management services, you will be deemed a Business Associate of each “health care provider” that is a user of your services.

This memorandum outlines the primary obligations of Business Associates under HIPAA and the Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 (“HITEC”). HITEC was enacted to promote the adoption and meaningful use of health information technology. Subtitle D of HITEC addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.