Health Care Today | Health Law Blog

The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) has been able to hold “business associates” directly liable for certain HIPAA violations since 2009, with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under HIPAA, a “business associate” is an entity that receives protected health information (PHI) in order to provide services to a “covered entity” (such as a health care provider, a health plan, or a heath care clearinghouse).

There has been a lot of movement throughout the country on the state level to prevent patients from receiving surprise medical bills when they receive unanticipated care from out-of-network providers while seeking care from in-network providers. For example, in 2018, Missouri passed such legislation, which banned surprise medical bills for patients who are treated by an out-of-network physician at an in-network emergency room.