The Office for Civil Rights (OCR) recently released a Fact Sheet regarding “Direct Liability of Business Associates.” In this Fact Sheet, OCR reminds entities that, as of 2009, HIPAA business associates have been directly liable for certain violations of the HIPAA rules. By way of background, business associates are various entities that require “protected health information” to support HIPAA “covered entities” (health care providers, health care insurers, and health care clearinghouses) or other business associates in carrying out various functions.
Although OCR’s Fact Sheet notes that the list of potential enforcement actions is limited, it is clear that OCR has broad authority to enforce a wide range of compliance shortfalls. Specifically, OCR has authority with respect to the following:
1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
3. Failure to comply with the requirements of the Security Rule.
4. Failure to provide breach notification to a covered entity or another business associate.
5. Impermissible uses and disclosures of PHI.
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
8. Failure, in certain circumstances, to provide an accounting of disclosures.
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
Significantly, business associates are required to comply with a large portion, although not all, of HIPAA’s Privacy Rule. Business associates are required to comply completely with HIPAA’s Security Rule for electronic protected health information. And, finally, business associates are required to report breaches of unsecured protected health information under HIPAA’s Breach Notification Rule. To be sure, merely signing a business associate agreement does not constitute compliance—instead, it is only the trigger for compliance, which includes maintenance of policies and procedures, conducting a Security Rule risk assessment, and providing workforce training.
It is unclear whether the OCR’s issuance of the Fact Sheet suggests that there will be increased enforcement against business associates. Currently, there has been only one published enforcement settlement involving a business associate, and that was in 2016 for $650,000. It is clear, however, that covered entities must be mindful of their obligations to obtain business associate agreements given that several enforcement actions, including three in 2018, have mentioned a lack of business associate agreements among the items of non-compliance.
Notably, HIPAA provides for both civil and criminal penalties, including penalty amounts of up to $1.5 million per violation per year. As a result, published HIPAA settlements have ranged from $25,000 to $16 million, with over a dozen falling in the $1-5 million range. HIPAA enforcement is not going away, and we can expect to see increased enforcement against business associates and covered entities alike.