Medical Records Privacy and Security (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes strict requirements on HIPAA Covered Entities, consisting of health care providers, health plans and health care clearinghouses, with respect to the privacy and security of protected health information (PHI), including electronic PHI (ePHI). 

The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted in 2009, extended these requirements to apply directly to Business Associates of these entities, i.e. any vendors or service providers that create, maintain, receive, use or disclose health information on behalf of health care providers, health plans and health care clearinghouses. 

The HITECH Act also strengthened the enforcement of HIPAA, including increasing potential penalties that can be levied if a violation occurs.

Bowles Rice has significant experience advising Covered Entities and Business Associates regarding their HIPAA obligations, helping them avoid the significant penalties and liabilities that can accrue from violations of these laws.

Bowles Rice represents clients with regard to health information privacy, including:

• Advising health care providers with respect to the day-to-day HIPAA questions that arise regarding patient access to health information, use and disclosure of health information, and electronic security of patient record systems;
• Preparing the HIPAA Privacy, Security and Breach Notification Policies and Procedures HIPAA requires all health care providers and health plans to maintain, establishing that the entity has evaluated its HIPAA risks and obligations, and adopted to minimize the risk of information privacy and security breaches;
• Assisting HIPAA Covered Entities to comply with Breach Notification requirements imposed by the HITECH Act;
• Advising employers sponsoring group health plans regarding their obligations under HIPAA with respect to plan participants’ health information;
• Preparing and reviewing Business Associate Agreements (BAAs) and Subcontractor Business Associate Agreements (Subcontractor BAAs);
• Representing HIPAA Covered Entities and Business Associates in investigations by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) into HIPAA compliance and allegations of HIPAA violations;
• Assisting litigators to ensure the disclosure of medical records in discovery complies with HIPAA requirements, when applicable; and
• Providing required training sessions to employees of HIPAA Covered Entities and Business Associates