» HIPAA Enforcement Guidance Issued for Business Associates
June 13, 2019
New HHS Fact Sheet Addresses Direct Liability
The U.S. Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) has issued a fact sheet explaining when a business associate can be directly liable for compliance with the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.
The fact sheet states that OCR is authorized to take enforcement action against business associates only for:
- Failing to provide HHS with records and compliance reports, cooperate with investigations and reviews, and provide HHS access to protected health information (PHI) and other compliance information;
- Retaliating against anyone for filing a HIPAA complaint, participating in an investigation, or opposing a HIPAA violation;
- Failing to comply with the Security Rule;
- Failing to notify a covered entity or other business associate of a breach;
- Impermissible uses and disclosures of PHI;
- Failing to disclose a copy of electronic PHI to either a covered entity, an individual, or an individual’s designee (whichever is specified in the business associate agreement);
- Failing to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;
- Failing to provide an accounting of disclosures in certain circumstances;
- Failing to enter into compliant business associate agreements with subcontractors that create or receive PHI on their behalf; and
- Failing to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.