Back To School And Back To BAAs: OCR Guidance Provides Reason To Review BAA Provisions

Elizabeth Litten
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLPLast May, around the time many schools let out for the summer, the Office for Civil Rights (“OCR”) published guidance entitled “Direct Liability of Business Associates” (the “Guidance”), which focuses, not surprisingly, on OCR’s ability to take enforcement action directly against HIPAA business associates. I meant to write about this guidance before Memorial Day, but since the back-to-school season is a good time to get things (including business associate agreements or “BAAs”) in order, this timing feels right.

The Guidance caught my attention not because it lists ten HIPAA failures or violations for which business associates are directly liable, but it calls out one specific HIPAA violation that will fall on the shoulders of the contracted covered entity:

“… OCR lacks the authority to enhance the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates … .

In other words, the OCR explains that, if a covered entity engages a business associate to fulfill an individual’s request for access to protected health information, it is the covered entity’s responsibility to ensure that the business associate complies with HIPAA’s “reasonable, cost-based fee” limitation (and any more stringent state law requirement).

We’ve posted on the topic of individual access rights under HIPAA (see here and here), and have also posted on the topic of what amounts can be charged, both under HIPAA and under state law (see here and here). What the Guidance compels me to point out, though, is that covered entities often include a provision in BAAs that requires the business associate to respond to an individual’s access request by either notifying the covered entity of the request or by providing the requested electronic or paper copy directly. The provision may require the business associate to comply with the HIPAA regulatory requirements regarding the timing of the response, either in terms of notifying the covered entity within a specified time period or by responding directly to the individual.

However, a provision stating simply that the business associate must “comply with 45 C.F.R. § 164.524 [the regulation governing individuals’ access rights]” may not be enough to ensure that the business associate limits the amount charged as per the regulation, which potentially creates unexpected exposure for noncompliance for the covered entity. Thus, in light of the Guidance, covered entities should review their BAAs and consider whether updates are required to such provisions. If they don’t they may end up dealing with an OCR enforcement action that could have been prevented with a few well-placed BAA words.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide