OCR Clarifies Direct Liability of Business Associates Under HIPAA

Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing Arnstein & Lehr LLP

On May 24, 2019, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), released a new fact sheet describing 10 ways in which a “business associate” can be liable under HIPAA. The new fact sheet comes one day after the announcement of a settlement where a HIPAA business associate agreed to pay $100,000 and enter into a corrective action plan to resolve allegations of HIPAA non-compliance.

Business associates have been directly liable for HIPAA violations since the HITECH Act was passed in 2009, as formalized in the so-called HIPAA Omnibus Rule promulgated by HHS in 2013.  The new fact sheet consolidates the requirements throughout the HIPAA Privacy, Security and Breach Notification Rules for which a business associate may be directly liable.  The items discussed in the fact sheet for which the OCR may take enforcement action against a business associate include:

  • failure to cooperate with OCR complaint investigations;
  • taking retaliatory action against an individual for filing a HIPAA complaint;
  • non-compliance with the HIPAA Security Rule;
  • failure to provide a breach notification to a HIPAA covered entity;
  • impermissible uses and disclosures of PHI;
  • failure to fully comply with HIPAA’s right of access as specified in the business associate agreement with the applicable covered entity;
  • failure to follow the minimum necessary standard;
  • failure in certain instances to provide an accounting of disclosures;
  • failure to enter into down-stream business associate agreements; and
  • failure to take reasonable steps to address a breach of a subcontractor’s business associate agreement.

Conversely, the OCR lacks authority to enforce other HIPAA regulations against a business associate, and would take action against the applicable covered entity directly, even where the business associate actually committed the violation.

HIPAA-covered entities and business associates must comply with the HIPAA requirements or face the consequences from OCR.  The new OCR fact sheet is a friendly reminder of areas where a noncompliant business associate can get itself into trouble and also potentially create exposure for the covered entity for which it is providing services. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide