News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses HIPAA Enforcement for Business Associates of Health Care Organizations

Healthcare Info Security
March 18, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a March 17 article about a $1.55 million penalty imposed by federal regulators on a Minnesota health care system as part of a settlement following an investigation of a business associate’s data breach.

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) cited the provider’s failure to enter into a business associate agreement with the vendor, which had access to protected health information. Such agreements are required under the Health Insurance Portability and Accountability Act (HIPAA).

Mr. Nahra said it’s only a matter of time before OCR begins sanctioning business associates for their HIPAA compliance violations.

“This incident affected behavior from a business associate before the time period when OCR had formal authority over business associates. Now, business associates—with or without a business associate agreement—are subject to enforcement,” he said. “HHS has not yet taken action against a business associate, and will have some real challenges as to how to apply HIPAA’s rules, particularly the Security Rule, to the vast array of business associates that exist.”

Under the HIPAA Security Rule, every business associate with access to protected health information is treated the same as a hospital or a health insurer, Mr. Nahra added. “HHS will face challenges in approaching enforcement in this area, but, to date, HHS has proved reasonable and effective in managing these enforcement challenges,” he said.

To read the complete article, please click here.