The Department of Health and Human Services Office for Civil Rights (OCR) recently issued a reminder to business associate entities regarding the potential for direct liability for certain violations of the Health Insurance Portability and Accountability Act (HIPAA). In a Fact Sheet issued on May 24, 2019, the OCR provided the following list of HIPAA violations for which business associates are directly liable:
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
This recent unsolicited reminder from the OCR regarding direct liability for business associates is a chilling reminder of the potential consequences of an entity’s failure to implement a HIPAA compliance program. If you need assistance developing and implementing a HIPAA compliance program, either as a covered entity or as a business associate, please contact us.