The HHS Office for Civil Rights (“OCR”) recently issued a new fact sheet (“Fact Sheet”) addressing direct liability of business associates for violations of the HIPAA Privacy, Security and Breach Notification Rules (“HIPAA Rules”). The Fact Sheet serves as a reminder to business associates that in addition to their contractual liability to covered entities under the business associate agreements, business associates also have direct liability under HIPAA and are subject to OCR enforcement for violations of the HIPAA Rules. The Fact Sheet outlined the specific requirements of the HIPAA Rules with respect to which the OCR has authority to take enforcement action against business associates. These requirements include:
Numerous vendors which provide services involving access to PHI to healthcare organizations that are HIPAA covered entities can be considered business associates under HIPAA. Simply entering into business associate agreements with covered entities is not sufficient for HIPAA compliance. Rather, it is essential that business associates implement a HIPAA compliance program to address compliance with the HIPAA Rules. The Fact Sheet can serve as a resource for business associates to review their HIPAA policies and procedures to ensure compliance with the applicable requirements of the HIPAA Rules.