DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Can a Business Associate be Liable for a HIPAA Breach When Its Client Isn’t a Covered Entity?

Posted on December 24, 2015 by Dissent

Yesterday morning, some of were following up on a ProPublica report  about a New Jersey clinic who, when suing patients for overdue accounts, included their diagnostic codes in materials sent to their collection agency. Those records – containing the patients’ names, diagnostic codes, and treatment codes – became part of public court records.

There were some interesting questions raised by the case. The Short Hills Associates in Clinical Psychology provides its patients with its notice of privacy practices, but when an aggrieved patient filed a complaint with HHS over the disclosure of his diagnostic code, OCR closed the case without action because the clinic – using paper records for transactions – was not a HIPAA-covered entity.

But what about the collection agency? If the clinic was not a HIPAA-covered entity, was the collection then not a Business Associate under HIPAA? At first blush, it might seem unreasonable to think that they could still be a business associate and subject to HIPAA’s restrictions on only disclosing what is necessary to obtain payment.

But Texas attorney Jeff Drummond raised some very interesting points in our discussion, including one that if the collection agency was a BA for any other entity, then they might be covered by HIPAA to protect all clients’ patient records.

Jeff has blogged about the issues raised by this case on HIPAA Blog. It’s a post – and interpretation of HIPAA – that I found surprising, to say the least. I would love to see a panel discuss this issue at a conference. In the meantime, I may shoot a link to it over to HHS to ask for their reaction.

In the meantime, go read Jeff’s post.

Category: Health DataOf Note

Post navigation

← Feds widen probe into lottery IT boss who rooted game for profit
Dumont hospital employees shocked Dr. Fernando Rojas returning to work →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.