Part 2: Healthcare Leases: Understanding HIPPA Impacts

Building Operating Management

Authored Article

Acronyms abound in the healthcare sector. HIPAA is the Health Insurance Portability and Accountability Act of 1996. Broadly speaking, HIPAA was enacted to safeguard an individual's health information, the privacy of such health information having been deemed a basic civil right by Congress. Healthcare leases are affected by virtue of the care required to secure such protected health information. What includes protected health information is comprehensively defined under HIPAA, as are "covered entities," including health plans, healthcare clearinghouses, and most healthcare providers.

Under HIPAA, covered entities are required to establish policies and procedures to safeguard the confidentiality of individuals' protected health information. HIPAA also indirectly regulates third parties to whom covered entities disclose health information for the third party to perform some function on behalf of the covered entity; such third parties are referred to as "business associates."

Tenants do not typically disclose health information to landlords for the landlord to perform functions on behalf of the tenant. For example, a landlord does not need access to health information to repair a rattling HVAC duct. While the landlord might stumble across health information while completing the repairs on the leased premises, the landlord does not need health information to perform its duties under the lease. Ordinarily, therefore, landlords are not business associates.

Assuming the landlord is not a covered entity, it would not have obligations under HIPAA. In other words, from a landlord-tenant perspective, if the tenant is a covered entity and the landlord is not, then the burden and obligations of securing protected health information fall solely on the tenant. The tenant (or the covered entity) has the obligation to implement reasonable safeguards to prevent intentional and unintentional disclosures of protected health information in violation of HIPAA.

Guidance provided from the federal government is that protected health information "should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure.”

Whether this means creating a procedure to confirm that all health records are locked at a certain time each day before janitorial services may enter the leased premises, or creating specific areas that landlords and janitorial services cannot enter except in the event of an emergency, or requiring that any access by third parties to the leased premises be supervised, the covered entity to the healthcare lease should confirm that such reasonable safeguards are in place and specified, as necessary, in the lease.

Republished with permission. This article first appeared in Building Operating Management in April 2015.