Under the recently released HIPAA final rule, business associates are now directly liable for both the use and disclosure of protected health information (PHI) in violation of the Privacy Rule or the Security Rule. Business associates should be aware of the consequences of this significant change in their accountability for HIPAA breaches. Direct liability means that, just as with covered entities, business associates in violation of HIPAA will now be subject to civil and criminal penalties for their actions.

In addition to considering the penalties of a HIPAA violation, business associates should also be aware of the new obligations arising under the HIPAA final rule. While HIPAA requirements previously focused on covered entities, under the final rule, business associates will have to prepare for a new set of obligations. Specifically, business associates must:

  1. Maintain records and submit compliance reports as Department of Health and Human Services (HHS) may deem necessary to determine whether the business associate has complied with applicable HIPAA provisions and has cooperated with compliance investigations and reviews;
  2. Notify the covered entity following the discovery of a breach of unsecured PHI;
  3. Make reasonable efforts to limit use and disclosure of PHI, or requests for PHI, to the minimum extent necessary to accomplish the intended purpose;
  4. Enter into HIPAA compliant business associate agreements (BAA) with subcontractors that handle PHI;
  5. Provide an accounting of disclosures, and;
  6. Disclose PHI needed by a covered entity to respond to an individual’s request for an electronic copy of his/her PHI.

As we discussed last week, subcontractors should also pay close attention to changing requirements for business associates. Subcontractors who create, receive, or transmit PHI on behalf of business associates will now be considered business associates themselves, and will thus also be subject to direct liability under HIPAA.