Direct HIPAA Enforcement Liability for Business Associates
June 10, 2019
On May 24, 2019, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a new fact sheet. It compiles the various provisions of the Health Insurance Portability and Accountability Act (HIPAA) that impose direct liability on business associates. The fact sheet aims to simplify the 2013 Final Rule issued by OCR under the authority granted by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
A “business associate” is a person or entity that “creates, receives, maintains, or transmits protected health information (PHI)” on behalf of a covered entity; or provides services that involve the use or disclosure of PHI to a covered entity. In order to engage with a business associate, a covered entity must have a business associate agreement or other written arrangement in place that details the duties of the business associate and the requirements to comply with HIPAA Privacy Rules. Furthermore, business associates must utilize safeguards to prevent any use or disclosure of PHI that extends beyond the terms of the arrangement.
The following list sets forth ten HIPAA breaches for which OCR could take direct enforcement action against a business associate:
The fact sheet serves as notice to business associates that in addition to contractual liability to the covered entity relating to a violation of the business associate agreement, such business associates also have governmental regulatory liability associated with their dealings with covered entities.
If you have questions regarding the new fact sheet, business associate arrangements, or general HIPAA compliance questions, please contact Stacy Walton Long or Alexandria M. Foster or any other Krieg DeVault attorney in the Health Care Practice Group.
© 2020 Krieg DeVault All Rights Reserved.