The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new fact sheet outlining and clarifying violations of HIPAA (Health Insurance Portability and Accountability Act of 1996) for which a business associate can be held directly liable. Published shortly after the release of new guidance from OCR in the form of FAQs, the new fact sheet signifies another example of OCR’s recent efforts to clarify new and outstanding questions from the ever-evolving health care industry.
In the new fact sheet, OCR first recalls the procedural history by which the application of certain aspects of HIPAA extended to business associates – the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and OCR’s 2013 Final Rule modifying the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules, which dramatically extended to business associates the need to comply directly with the HIPAA Security Rule and significant aspects of the HIPAA Privacy Rule. Since that time, business associates have made efforts to comply with these HIPAA requirements but with little insight as to whether OCR will come after them (as opposed to their covered entity counterparts) for HIPAA violations, and if so, the types of violations OCR will enforce against business associates.
OCR’s fact sheet finally brings some clarity to business associates contemplating their own liability under HIPAA. Citing to the HITECH Act and 2013 Final Rule, the fact sheet clearly states that “OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below” (emphasis in original). These are:
- Failure to provide the Secretary of Health and Human Services (HHS) with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the HIPAA Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement (BAA)) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into BAAs with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such BAAs.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.
In one illustrative example, OCR indicated it has enforcement authority directly over a business associate that has agreed in a BAA to satisfy individual rights (e.g., requests from individuals for access to copies of their medical records). Notably, OCR did not say it would enforce a business associate’s failure to sign a BAA with a covered entity (however, it would with respect to BAAs with business associate subcontractors). Rather, OCR’s example demonstrates that the agency will hold business associates accountable for certain contractual obligations it has made with a covered entity, even if such obligations otherwise exceed the scope of business associate requirements under HIPAA.
OCR’s clarification surrounding the direct liability of business associates comes at a time when the agency’s enforcement against business associates has been on a noticeable, steady rise. Just a few days before releasing the new fact sheet, OCR settled allegations of HIPAA Privacy Rule and Security Rule violations for $100,000 with a business associate that provides software and electronic medical record services to healthcare providers. In that case, the business associate self-disclosed to OCR a HIPAA breach following discovery that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people. OCR’s investigation revealed that the business associate had not conducted a comprehensive risk analysis, as required by the Security Rule prior to the breach. To read more on recent OCR settlements with business associates, click here.