Healthcare providers, health plans and healthcare clearinghouses (“covered entities”) and business associates are subject to significant penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules. To make matters worse, covered entities may be liable for their business associates’ misconduct, and business associates may be liable for their subcontractors’ violations. Covered entities and business associates must take appropriate steps to minimize exposure for their business associates’ or subcontractors’ violations.

...HIPAA penalties are mandatory if a covered entity or business associate acts with willful neglect. On the other hand, a covered entity or business associate who does not act with willful neglect and who corrects the violation within thirty (30) days may avoid HIPAA penalties; correcting the situation is an affirmative defense to penalties. (45 CFR § 160.402).

Originally Published in AHLA's Physicians and Hospitals Law Institue, February 5, 2018.