DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Can a Business Associate be Liable for a HIPAA Breach When Its Client Isn’t a Covered Entity?

Posted on December 24, 2015 by Dissent

Yesterday morning, some of were following up on a ProPublica report  about a New Jersey clinic who, when suing patients for overdue accounts, included their diagnostic codes in materials sent to their collection agency. Those records – containing the patients’ names, diagnostic codes, and treatment codes – became part of public court records.

There were some interesting questions raised by the case. The Short Hills Associates in Clinical Psychology provides its patients with its notice of privacy practices, but when an aggrieved patient filed a complaint with HHS over the disclosure of his diagnostic code, OCR closed the case without action because the clinic – using paper records for transactions – was not a HIPAA-covered entity.

But what about the collection agency? If the clinic was not a HIPAA-covered entity, was the collection then not a Business Associate under HIPAA? At first blush, it might seem unreasonable to think that they could still be a business associate and subject to HIPAA’s restrictions on only disclosing what is necessary to obtain payment.

But Texas attorney Jeff Drummond raised some very interesting points in our discussion, including one that if the collection agency was a BA for any other entity, then they might be covered by HIPAA to protect all clients’ patient records.

Jeff has blogged about the issues raised by this case on HIPAA Blog. It’s a post – and interpretation of HIPAA – that I found surprising, to say the least. I would love to see a panel discuss this issue at a conference. In the meantime, I may shoot a link to it over to HHS to ask for their reaction.

In the meantime, go read Jeff’s post.

Related posts:

  • The CoPilot Provider Support Services incident: The HIPAA issue
  • HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation
  • Remember your baby’s newborn pictures? They may still be online.
  • Small-Scale Violations of Medical Privacy Often Cause the Most Harm
Category: Health DataOf Note

Post navigation

← Feds widen probe into lottery IT boss who rooted game for profit
Dumont hospital employees shocked Dr. Fernando Rojas returning to work →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.