HIPAA and the Concept of Trust

December 20, 2013
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

Ensuring a "chain of trust" is present with protected health information is essential for medical practices following the HIPAA Final Omnibus Rule.

"[W]e either trust someone or we don’t … it’s a binary matter, a placing of faith or a breach of faith. A breach of faith is seldom mended, either."

- Sandy Costa, The Gift of Trust

This premise of trust actually is pervasive throughout HIPAA. In fact, the phrase "chain of trust" has been utilized by HHS for over a decade in relation to the relationship between the entities who create, receive, maintain or transmit protected health information (PHI).

This concept of trust is premised upon the legislative intent behind HIPAA’s implementation in 1996. In passing HIPAA, Congress focused on the privacy of an individual’s health information as the cornerstone for the subsequent Administrative Simplification Rules. In turn, everyone in the "chain of trust," regardless of entity size, has an obligation to protect the identifying factors linking an individual to past, present or future medical treatment or payment.

One particular required area of compliance highlights this notion of trust - the business associate agreement (BAA). A BAA is a contract between a covered entity and a business associate, a business associate and another business associate, or a business associate and its subcontractor, that highlights that the two parties provide reasonable assurances that the PHI that is being used in the course of business meets the privacy and security standards.

In today's healthcare landscape, especially with the proliferation of protected health information and other technological means (i.e., electronic monitoring of blood sugar levels and transmission of data from a pacemaker to the physician and manufacturer), compliance with the various provisions of the Omnibus Rule is paramount. Not only can non-compliance implicate a breach of contract between the parties, on a larger scale, providers attest to compliance in the Medicare provider agreements, as well as for receiving funds for the implementation for meaningful use.

Once a "breach of faith" occurs, the residual ramifications can be costly. Therefore, the best way to ensure that the "chain of trust" and the privacy and security of PHI remain intact is to have a comprehensive risk assessment and risk analysis performed and correct the areas of deficiencies.