On May 24, 2019, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), released a new fact sheet describing 10 ways in which a “business associate” can be liable under HIPAA. The new fact sheet comes one day after the announcement of a settlement where a HIPAA business associate agreed to pay $100,000 and enter into a corrective action plan to resolve allegations of HIPAA non-compliance.

Business associates have been directly liable for HIPAA violations since the HITECH Act was passed in 2009, as formalized in the so-called HIPAA Omnibus Rule promulgated by HHS in 2013.  The new fact sheet consolidates the requirements throughout the HIPAA Privacy, Security and Breach Notification Rules for which a business associate may be directly liable.  The items discussed in the fact sheet for which the OCR may take enforcement action against a business associate include:

• failure to cooperate with OCR complaint investigations;
• taking retaliatory action against an individual for filing a HIPAA complaint;
• non-compliance with the HIPAA Security Rule;
• failure to provide a breach notification to a HIPAA covered entity;
• impermissible uses and disclosures of PHI;
• failure to fully comply with HIPAA’s right of access as specified in the business associate agreement with the applicable covered entity;
• failure to follow the minimum necessary standard;
• failure in certain instances to provide an accounting of disclosures;
• failure to enter into down-stream business associate agreements; and
• failure to take reasonable steps to address a breach of a subcontractor’s business associate agreement.

Conversely, the OCR lacks authority to enforce other HIPAA regulations against a business associate, and would take action against the applicable covered entity directly, even where the business associate actually committed the violation.

HIPAA-covered entities and business associates must comply with the HIPAA requirements or face the consequences from OCR.  The new OCR fact sheet is a friendly reminder of areas where a noncompliant business associate can get itself into trouble and also potentially create exposure for the covered entity for which it is providing services.