Business Associates – beware. On May 24, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) released a fact sheet on the direct liability of business associates under HIPAA (“Fact Sheet”). This information itself is not new, as HITECH and the 2013 HIPAA Omnibus Rule identified components of HIPAA that apply directly to business associates. However, the Fact Sheet serves as a great reminder to covered entities and business associates of the importance of HIPAA compliance and the maintenance of business associate agreements with contractors and subcontractors.
It is worth noting that OCR already has HIPAA enforcement actions against business associates under its belt. For example, in 2016, OCR entered into a settlement agreement with a management and information technology services company that provided services to nursing homes for its failure to safeguard nursing home residents’ PHI. The business associate settled with OCR to the tune of $650,000. It is likely that this Fact Sheet is a preview of HIPAA enforcement actions to come. The Fact Sheet lists ten violations where OCR has authority to enforce against a business associate. This broad list includes, but is not limited to:
(1) the failure to comply with the Security Rule;
(2) impermissible uses and disclosures of protected health information;
(3) the failure to provide breach notification to a covered entity or another business associate;
(4) the failure to comply with the minimum necessary rule under HIPAA;
(5) the failure to enter into business associate agreements with subcontractors and implement such
contract provisions; and
(6) the failure to take reasonable steps to address a material breach or violation of a
subcontractor’s business associate agreement.
If your business performs functions or activities that involve the protected health information of a health care provider, health plan or health care clearinghouse, now is a good time to double-check your HIPAA compliance.