The HITECH Act extended certain HIPAA obligations to business associates, including those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of covered entities. Business associates who fail to comply with their HIPAA obligations may be directly liable for HIPAA penalties ranging from $114 to $57,051¹ per violation.

The Office for Civil Rights recently affirmed the conduct that would subject business associates to direct liability under HIPAA, including the following:

1. Failure to comply with the requirements of the HIPAA Security Rule, e.g., performing a risk assessment or implementing the required administrative, physical and technical safeguards.
2. Failure to enter business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
3. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
4. Impermissible use or disclosure of PHI, including a use or disclosure that is not permitted under the business associate agreement.
5. Failure to make reasonable efforts to limit the request, use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) as necessary to enable the covered entity to comply with the patient’s right of access.
7. Failure to provide an accounting of disclosures as necessary to enable the covered entity to comply with its obligations to provide such an accounting when requested.
8. Failure to notify the covered entity or another business associate of a breach of PHI as required by the breach notification rule.
9. Retaliating against others for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
10. Failure to provide HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by HHS to information, including protected health information, pertinent to determining compliance.

(See OCR Fact Sheet, Direct Liability of Business Associates).

In addition to HIPAA penalties, business associates may also be sued by the covered entity if the business associate breaches the terms of its business associate agreement. Business associate agreements often contain additional indemnification, hold harmless or penalty provisions that may impose additional requirements. The bottom line is that, like their covered entity clients, business associates must take their HIPAA obligations seriously.

For more information concerning business associate obligations, see our article Complying With HIPAA: A Checklist for Business Associates. For help in determining whether you are a business associate or ways to avoid business associate obligations, see our articles Identifying Business Associates: Make Sure You Have BAAs in Place and Avoiding Business Associate Agreements.

[1] The penalty amounts are subject to annual cost of living adjustments. (45 CFR 102 & 160.404; see also 83 FR 51378).