New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA

In 2013, Business Associates became directly liable under Federal law for violations of HIPAA in particular circumstances. However, much confusion remains about which circumstances could trigger an investigation and/or penalty by the Office of Civil Rights (OCR). To remedy this, the HHS Office for Civil Rights has issued a new fact sheet that lays out all provisions where the business associate would be held directly liable for HIPAA Rule violations. Nixon Law Group has reviewed this fact sheet, and we have summarized these circumstances, below.

Business Associates are DIRECTLY liable for violations of HIPAA in the following circumstances:

1. Failure to provide information or access requested by the Secretary of HHS and to cooperate with compliance reviews and investigations

2. Retaliating against a person who files a HIPAA complaint, refuses to participate in something unlawful under HIPAA, or participates in a HIPAA investigation

3. Failing to comply with the requirements of the Security Rule

4. Failure to provide required breach notification to a Covered Entity or other Business Associate

5. Impermissible use or disclosure of PHI

6. Failure to properly disclose PHI requested by an individual (if acting on behalf of Covered Entity)

7. Violation of minimum necessary rule

8. Failure to provide an accounting of disclosures

9. Failure to enter into proper business associate agreements with subcontractors

10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement

The new fact sheet can be found by clicking the button below or via THIS LINK.

Note: The above list describes regulatory obligations for Business Associates. Business Associates are also directly liable to their “upstream” Covered Entities and Business Associates via the Business Associate Agreement, which creates contractual obligations. In addition, Business Associates may be indirectly liable if they are contractually bound to indemnify Covered Entities—which are directly liable in all circumstances for violation of HIPAA—for any losses incurred that are attributable to the acts or omissions of the Business Associate. For example, Business Associates are not directly liable for ensuring that only a reasonable amount is charge to individuals requesting records. If a Business Associate contracted with a Covered Entity to record production services to patients and that Business Associate overcharged these patients, the Business Associate could not be held directly liable. The Covered Entity would incur the penalty. However, if that same Business Associate agreed to indemnify the Covered Entity for losses arising from the Business Associate’s acts or omissions via a business associate agreement or other contract with the Covered Entity, then the Covered Entity could hold the Business Associate directly liable for breach of contract.

Ready to innovate? Click here to discover how we can help you get there safely. 

Read more on Data Privacy and Security in The Latest