The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in late May issued a fact sheet on direct liability of business associates for violations of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.
A business associate is an individual (other than a member of the covered entity’s workforce) or entity who performs or furnishes a function, activity or service for or on behalf of a covered entity involving the use or disclosure of protected health information (PHI). See this link for more information
The fact sheet lists the following as grounds for OCR to take enforcement action against business associates:
- Failure to provide the HHS Secretary with requested documents or information
- Retaliatory action against any person for filing a HIPAA complaint, participating in an investigation or enforcement process, or opposing HIPAA violations
- Noncompliance with any requirement of the Security Rule
- Failure to notify a covered entity or business associate of a breach of PHI as required under the Breach Notification Rule
- Impermissible use or disclosure of PHI
- Failure to disclose electronic PHI (ePHI) as necessary to satisfy the covered entity’s obligation to provide PHI in response to an individual’s request
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose
- Failure to provide an accounting of disclosures of PHI
- Failure to enter a business associate agreement with each of its subcontractors
- Failure to take reasonable steps to address a material breach by its subcontractor of the business associate agreement
In recent years the failure to enter into appropriate business associate agreements has been a common trigger for OCR settlements with covered entities. While it is too early to know whether this fact sheet portends an uptick in OCR enforcement actions against business associates, OCR Director Roger Severino expressed the intent to “make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”
This guidance serves as an important reminder of the need for business associates to identify all of their business associate relationships, enter into valid business associate agreements, understand their HIPAA obligations, and take proactive steps to satisfy these duties and safeguard PHI. For a list of violations that have been most prevalent in HIPAA settlements, read our May 6, 2019 HIPAA settlements blog post.