Mitigating circumstances which surround Due Diligence and the HIPAA and HITECH Act

By | November 22, 2013

Significant liability potential as well as heightened enforcement surrounds one aspect of the healthcare industry.  Under the Health Insurance Portability and Accountability Act of 1996 and the 2009 Health Information Technology for Economic Clinical Health Act, a corporation may suffer extensive civil and criminal penalties if they violate or give out any person’s protected health information.  These two acts (HIPAA & HITECH) may cause substantial operational, financial, and/or reputational harm to any corporation or any of its affiliations.  Pursuant to the 45 C.F.R.164.504(e), all HIPAA covered entities, subcontractors and any other business associate needs to comply under this statute.  The section 13404 of the HITECH Act covers the privacy terms required under the agreements that may be made with any of the business associates.

In order to lower any comprehensive risks or additional assessments, all corporations should comply with the HIPPA and HITECH acts.  Comprehensive assessments of any risks will provide a legal avenue to mitigate any exposure liability as well as make a corporation compliant with any data breach, privacy, or security rules.  Any assessment of risk should be illustrated in a similar manner as to a corporation performing “due diligence as it pertains to the context of strategic initiatives (divestitures or joint ventures), mergers, and/or acquisitions.”  Due Diligence has been defined as an affirmative duty secure compliance with an obligation to disclosure as well as an investigation that is always part of every corporate merger and acquisition whether it may be out of a future defense thought or just an affirmative duty to another business associate in general.  Risk assessments are always required with each contracted party under the HITECH Act’s Rule for Breach Notification.  Therefore, each business associate involved has to provide certain assurances of their compliance under this newly expanded HIPAA Privacy and Security Rule’s compliance requirements.

Some considerations covered under the HIPAA and the HITECH Acts as it pertains to Due Diligence

Corporate initiatives and any of the business associates are held accountable for HHS and any of their individuals that are in charge for proper safeguarding any private information covered under the HITECH Act.  Covered entities, subcontractors, or any other business associate’s primary objectives is to clearly define the circumstances where the PHI could be used or disclosed to any other outside party under Compliance HIPAA.  The federal common law may always be implemented in determining whether a party could be an agent of the corporate entity.

In short, any HIPAA and HITECH Act breaches could carry potential civil and criminal penalties and/or sanctions that may significantly affect a corporation’s reputational, financial, and or operational standpoints.  Wherefore, “due diligence” is definitely required under the statute and any covered entity should become proactive when they perform the risk assessments and the internal policies and procedures discussed in their manuals.