We attended a continuing medical education (CME) session on Friday, May 6 in Biloxi, MS. The CME was organized by the healthcare practice of Watkins & Eager. One of the issues that was discussed at the session was the significance of the HIPPA Agreement that health care professionals sign with their business associates whenever protected health information (PHI) is transferred from the health care professional to the business associate in the performance of health care activities and functions.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy and security of individuals’ identifiable health information and establishes an array of individual rights with respect to health information. The primary purpose of the Act is to ensure that “covered entities,” defined in the Act to include health plans, health care providers, and health care clearinghouses, protect an individual’s health care records and keep the information disclosed over the course of a treatment private.
Healthcare providers who are interested in medical factoring of their account receivables would need to sign a “HIPPA agreement” or business associates agreement with their medical funding company to ensure that the funding company will appropriately safeguard PHI. The HIPPA agreement protects both the provider and the funding company – considered under HIPPA as a business associate – by clarifying and limiting, as appropriate, the permissible uses and disclosures of PHI by the funding company, based on the relationship between the parties and the activities or services being performed by the funding company. The funding company may use or disclose PHI only as permitted or required by its business associate contract or as required by law.
It is important that a healthcare professional signs the HIPPA agreement before proceeding with medical factoring and exchanging PHI as a part of the funding process for 2 reasons:
1. A medical funding company would be directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that are not authorized by its contract or required by law.
2. A medical funding company is also directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.
By signing the HIPPA agreement as soon as the funding process begins protects both the medical provider and the funding company by ensuring that both parties are well aware of the sensitivity of health data being conveyed for the purposes of medical funding and received and clearly laying out the permissible and non-permissible uses of PHI.