But, I'm Just a Business Associate...Think Again.

Murtha Cullina

Business Associates – beware. On May 24, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a fact sheet on the direct liability of business associates under HIPAA (“Fact Sheet”). This information itself is not new, as HITECH and the 2013 HIPAA Omnibus Rule identified components of HIPAA that apply directly to business associates. However, the Fact Sheet serves as a great reminder to covered entities and business associates of the importance of HIPAA compliance and the maintenance of business associate agreements with contractors and subcontractors.

It is worth noting that OCR already has HIPAA enforcement actions against business associates under its belt. For example, in 2016, OCR entered into a settlement agreement with a management and information technology services company that provided services to nursing homes for its failure to safeguard nursing home residents’ PHI. The business associate settled with OCR to the tune of $650,000. It is likely that this Fact Sheet is a preview of HIPAA enforcement actions to come. The Fact Sheet lists ten violations where OCR has authority to enforce against a business associate. This broad list includes, but is not limited to:

(1) the failure to comply with the Security Rule;
(2) impermissible uses and disclosures of protected health information;
(3) the failure to provide breach notification to a covered entity or another business associate;
(4) the failure to comply with the minimum necessary rule under HIPAA;
(5) the failure to enter into business associate agreements with subcontractors and implement such
contract provisions; and
(6) the failure to take reasonable steps to address a material breach or violation of a
subcontractor’s business associate agreement.

If your business performs functions or activities that involve the protected health information of a health care provider, health plan or health care clearinghouse, now is a good time to double-check your HIPAA compliance.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Murtha Cullina | Attorney Advertising

Written by:

Murtha Cullina

Murtha Cullina on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.