The Office for Civil Rights (“OCR”) issued a factsheet detailing ten ways a business associate can be held directly liable for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as provided by the Health Information Technology for Economic Clinical Health (“HITECH”) Act of 2009. Although covered entities are ultimately responsible for what happens to the covered entity’s protected health information (“PHI”), HITECH authorized OCR to hold business associates directly liable for certain violations of HIPAA.

The ten enforcement actions OCR may take against business associates include instances where the business associate:

  1. Fails to provide the Secretary of Health and Human Services (“Secretary”) with records and compliance reports; fails to cooperate with complaint investigations and compliance reviews; and fails to permit the Secretary to access information to help the Secretary determine compliance, including providing access to PHI.
  2. Retaliates against someone who files a HIPAA complaint, participates in an investigation or enforcement process or opposes an act or practice that is unlawful under HIPAA.
  3. Fails to comply with the HIPAA Security Rule.
  4. Fails to provide breach notification as required by the HIPAA Breach Notification Rule. This includes notification to the covered entity or to another business associate based on the contractual arrangement between the parties.
  5. Discloses or uses PHI impermissibly.
  6. Fails to disclose a copy of electronic PHI in a manner that satisfies a covered entity’s obligation to comply with the requirements under HIPAA for an individual’s right to access the designated record set, including the form, format, time and manner of access required.
  7. Fails to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.
  8. Fails to provide an accounting of disclosures.
  9. Fails to enter into business associate agreements with subcontractors as required by HIPAA and fails to comply with the implementation specifications of such agreements.
  10. Fails to take reasonable steps to address a material breach or violation of a subcontractor’s business associate agreement.

In light of this new factsheet, business associates should consider the following:

  • Business associates should perform a security risk analysis as required by the Security Rule on a regular basis and act on the findings of that analysis.
  • Business associates should ensure their HIPAA compliance program includes documented policies and procedures including workforce training to be able to quickly respond to complaint investigations and/or compliance reviews.
  • Business associates should keep a current list of all business associate arrangements.
  • Business associates should make certain that their business associate agreements clearly set forth not only the satisfactory assurances required by HIPAA, but also clearly state how business associates may use PHI.
  • Business associates should make certain that their business associate agreements clearly set forth obligations related to the Breach Notification Rule.
  • Business associates should be mindful of any increases or changes in the scope of services they provide for a covered entity, or their subcontractor performs for them, and ensure that the existing business associate agreement covers that scope of services.
  • Business associates must be able to recognize and appropriately escalate communications from the Secretary to ensure requests from the Secretary are handled in accordance with HIPAA.
  • Business associates must be aware of their obligations under state law, such as state data breach law or other consumer protection laws, because state attorneys general can also bring actions against business associates under HIPAA or other state laws.