Health Insurance Portability and Accountability Act (HIPAA) Clause
Summary
This clause requires the parties to an agreement to comply with the Health Insurance Portability and Accountability Act (HIPAA), which requires, among other things, security and confidentiality obligations for patient information maintained by the health care industry. This template includes practical guidance and drafting notes. In healthcare, there could be many parties that come into contact with Protected Health Information (PHI). Not only is the issue the interaction between the holder of the PHI and their business associates, but many of those business associates may involve the use of a subcontractor, and in turn, that subcontractor is viewed as a business associate that must also follow the non-disclosure rules. However, the covered entity is not required to obtain satisfactory assurances, in accordance with 45 C.F.R. § 164.314(a), that the business associate will appropriately safeguard the information from a business associate that is a subcontractor. 45 C.F.R. § 164.308(b)(1). Rather, the burden is on the business associate to secure contract assurances or other agreements that the subcontractor will protect the information. See 78 Fed. Reg. 5573 (Jan. 25, 2013). Under common law principles of agency, covered entities are liable for the violations of their business associates and their business associates are liable for the violations of their subcontractors. See 45 C.F.R. § 160.402(c). Note that HIPAA also requires the designation of a Privacy and Security Officer to oversee privacy and security policies that relate to PHI. See 45 C.F.R. § 164.530(a)(1); 45 C.F.R. § 164.308(a)(2). The covered entity must also designate a contact person or office who is responsible for receiving complaints and who is able to provide further information about matters covered. 45 C.F.R. § 164.530(a)(2). A key component of the law is for the candid reporting of disclosures, whether from the subcontractor to the business associate or the business associate to the covered entity. See 45 C.F.R. § 164.314(a)(2)(iii) and 45 C.F.R. § 164.410. For a full listing of related data security & privacy content for first-year associates, see First-Year Associate Resource Kit: Data Security and Privacy. For a full listing of data security content that applies to federal government agencies, see Data Security & Privacy for Government Agencies Resource Kit. For information on HIPAA, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules. For additional resources regarding HIPAA, see HIPAA Resource Kit. For more on confidentiality, see Confidentiality Agreements. And, for more on life sciences corporate transactions, see Life Sciences Corporate Transactions Resource Kit.