As most healthcare organizations are by now aware, the privacy rule proposed under the Health Insurance Portability and Accountability Act of 1996 is very complex and creates many pitfalls for covered entities that aren't prepared for the new regulations.

These entities are defined by HIPAA as health plans, healthcare clearinghouses and healthcare providers that transmit health information in an electronic form.

Healthcare organizations may not realize, however, that relationships with a wide variety of business partners are also covered under these laws.

HIPAA defines business partners as entities to which a healthcare organization discloses protected information to help it carry out a function or activity. That includes contractors or others which receive such information either from the covered entity itself or from another business partner of the entity. Examples include attorneys, auditors, billing firms, consultants, data processing firms and third-party administrators. Members of a covered entity's workforce are excluded.

Under the proposed privacy rule, healthcare organizations may not disclose to business partners "individually identifiable health information: that has been stores electronically (even if it is later converted to a different format, such as paper) unless a contract with that partner protects its confidentiality.

The only exception is disclosure between providers for consultation or referral purposes. The contract must restrict partners from using or disclosing the information in ways that violate the rule or for purposes not covered in the contract. Consequently, health plans, providers and clearinghouses will need to review and revise these contracts to ensure compliance.

But the restrictions do not end there. Each covered entity must notify enrollees about its policies regarding the use and disclosure of protected information. It must require business partners to comply with these policies, as well as with HIPAA privacy regulations and applicable state law.

Furthermore, each covered entity must require its partners to implement similar safeguards.

Herein lies one of several complications. By implications, a business partner's privacy safeguards must distinguish among the policies of all covered entities it contracts with so that the business partner does not disclose information it obtained from more than one entity in ways that violate the policies of any of the covered entities supplying that information.

The business partner must protect itself against any possible uses or disclosures that are prohibited by HIPAA, by applicable state law or by its own contract with the covered entity, while also coordinating its records and policies to indicate what information was gathered form which source or sources. Obviously, this is not an easy task. And it's unclear what the liability is for a partner that fails to fulfill this responsibility.

The Department of Health and Human Services does not have the authority under HIPAA to directly regulate non-covered entities. As a result, the privacy rule says covered entities are liable for unauthorized use or disclosure of protected information by its business partners, in cases where it "knew or should have known" about the prohibited activity and failed to take reasonable steps to redress it or to terminate the contract.

For example, if a hospital discloses protected information to an outside medical management organization, and the hospital then turns a blind eye to the fact that the outside organization uses that data for marketing purposes, the hospital could be sanctioned.

Although the privacy rule states that covered entities do not have an obligation to monitor their business partners - unless a partner repeated or gravely violates the contract - the "knew or should have known" language on which liability hinges creates a morass of uncertainty.

It's unclear, for example, when a covered entity "should" have known of a violation by one of its partners. If it trusts its business partners and therefore does not monitor them, will knowledge of a blatant breach by a business partner be imputed because the covered healthcare organization "should have known" about it?

What about a violation the covered entity could have discovered with minimal monitoring? Or one that could have been discovered if it had regularly and thoroughly audited its partners?

On the other hand, if a covered entity carefully monitors its business partners and discovered that certain infringements have occurred, might it also be expected to know about less blatant or less obvious breaches? The answer to all of these questions are unclear.

In promulgating the privacy rule, the Secretary of Health and Human Services suggested that covered entities include in their contracts with business partners clauses allowing them to sanction those partners for contract violations, intentional or not. In addition, depending on the severity and frequency of breaches by a business partner, the covered entity may be required to terminate its contract with that partner. Eventually, HHS and the courts will provide guidance on these issues.

Until then, only one thing is really clear: HIPAA may, in fact, require you to be your business partner's keeper. The details remain murky and will certainly be a matter of much debate in coming months.