On May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a new fact sheet providing a compilation of all provisions through which a business associate may be held directly liable with the HIPAA Privacy, Security, Breach Notification, and Enforcement regulations. The fact sheet is a valuable resource for all HIPAA business associates.

Under the Final Rule issued in 2013, OCR has the authority to take enforcement actions against business associates for some, but not all, of the requirements and prohibitions set forth in the HIPAA regulations. The fact sheet provides a convenient list of violations for which a business associate may be held directly liable.

The list includes violations that are very narrow, such as the failure to provide breach notification to covered entities, and others that are quite broad, such as the failure to comply with the requirements of the Security Rule. In all, the fact sheet lists ten violations for which a business associate may be held directly liable.

Finally, the fact sheet provides one example of a violation for which only covered entities may be held directly liable: the “reasonable, cost-based fee” limitation applicable to requests for access to protected health information. The fact sheet notes that if a covered entity engages a business associate to fulfill requests for access, and a fee charged is in excess of the limitation, then OCR can take enforcement action against only the covered entity, not the business associate.

Business associates should review the fact sheet carefully and consider whether their policies and procedures address each requirement. Workforce members should receive training at the time of hire and regularly thereafter on these policies and the associated requirements.

[View source.]