Blog Post

OCR Reiterates Direct Liability Authority Over Business Associates

Richard P. Kusserow | June 2019

Ten ways BAs are directly liable for HIPAA violations

The HITECH Act made business associates (BA) of covered entities directly liable for failure to comply with certain HIPAA rules. Following the passage of the HITECH Act, OCR issued a final rule to amend the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. The rule identified HIPAA provisions that apply directly to BAs and for which BAs can be directly liable. In a recent fact sheet, the OCR restated its authority to hold BAs directly liable for violations of these provisions.

The OCR fact sheet specified that it can hold BAs directly liable for the following HIPAA violations:

  1. Failure to provide or permit the Secretary of the Department of Health and Human Services with records, compliance reports, and access to information, including protected health information (PHI); and failure to cooperate with complaint investigations and compliance reviews.
  2. Retaliating against any individual for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is in violation of the HIPAA Rules.
  3. Failure to comply with the HIPAA Security Rule.
  4. Failure to provide a covered entity or another BA with notification of a breach.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic protected health information (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the BA agreement (BAA)) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of individual access to PHI. (However, OCR notes that it lacks the authority to enforce the cost-based fee regulations against BAs and could only hold a covered entity liable for charging impermissible fees to individuals requesting access to their PHI.)
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure to provide an accounting of disclosures, in certain circumstances.
  9. Failure to enter into a BAA with subcontractors that create or receive PHI on the BA’s behalf, and failure to comply with the agreement implementation specifications.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.

For assistance with your HIPAA Privacy Program, contact Lisa Shuman, MPA, CHC, CHPC, CHRC (lshuman@strategicm.com) or Catie Heindel, JD, CHC, CHPC, CHPS (CHeindel@strategicm.com).

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog