Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.


In the News Press Release

Deadline Nears for Health Providers on Data Security Agreements

Publisher: Compliance Week
September 9, 2014

Healthcare law attorney Eric Fader was quoted extensively in a September 9 Compliance Week article titled, "Deadline Nears for Health Providers on Data Security Agreements." The article discusses, among other things, the impending September 23, 2014 deadline for healthcare providers and other entities to update their HIPAA Business Associate Agreements ("BAAs") to comply with new requirements in the Department of Health and Human Services' "omnibus final rule," released on January 25, 2013. In discussing the need for BAAs, Eric stated, "By signing the agreement, you are telling the government you know what HIPAA and the HITECH Act are, and that you know what your obligations are and take them seriously."

"A failure to comply with the statutory obligations makes the consequences of a data breach much worse," he added. "We've seen the federal government making examples of different healthcare entities in different categories of businesses and for different types of breaches, but there are people out there who just still don't get it. 'Oh, it would cost us a lot of money to encrypt our e-mails.' I don't care, you have to do it."

Eric pointed out that the so-called "conduit exception" under HIPAA's definition of "business associate" has been narrowed: "You used to be able to say you were just a conduit for information if you ran a [server farm]. But the exception has been narrowed so only true couriers, like the post office and internet service providers, are considered conduits."

"I still see resistance to being called a business associate, and that's foolish," Eric said, because business associate status is determined by actual conduct and denial is no protection from potential liability. Furthermore, subcontractors of business associates are subject to the HIPAA rules to the same degree: it is clear that "obligations go down the chain" from HIPAA "covered entities," to business associates, to their subcontractors.

Related Professionals
New York, NY
T: (212) 297 2413