Do Business Associates have direct liability under HIPAA?

Do business associates have-direct liability under HIPAA
  • The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a fact sheet enumerating a list of HIPAA Rules prohibitions that deems the Business Associate directly accountable and subject for enforcement action.

  • The HIPAA Rule defines a “Business Associate” as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

  • Examples of Business Associates are:
  • A third-party administrator that assists a health plan with claims processing.

  • A CPA firm whose accounting services to a health care provider involves access to protected health information.

  • An attorney whose legal services to a health plan involve access to protected health information.

  • A consultant that performs utilization reviews for a hospital.

  • A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.

  • An independent medical transcriptionist that provides transcription services to a physician.

  • A pharmacy benefits manager that manages a health plan’s pharmacist network.

  • A Cloud Services Provider (CSP) that stores only encrypted ePHI and does not have a decryption key.

  • As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, all Business Associates must comply with the requirements of HIPAA Privacy, HIPAA Security, Breach Notification, and Enforcement Rules. In addition, the OCR declared a final rule in 2013 delineating HIPAA Rule provisions that identify direct liability on Business Associates.

  • According to OCR Director Roger Severino, “as part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important fact sheet clearly explaining a business associate’s liability. We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”

  • The list of “HIPAA Rules” requirements and prohibitions stated on the Fact Sheet are as follows:

  • 1

    Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.

  • 2

    Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an unlawful act or practice under the HIPAA Rules.

  • 3

    Failure to comply with the requirements of the Security Rule.

  • 4

    Impermissible uses and disclosures of PHI.

  • 5

    Failure to provide breach notification to a covered entity or another business associate.

  • 6

    Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.

  • 7

    Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

  • 8

    Failure, in certain circumstances, to provide an accounting of disclosures.

  • 9

    Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

  • 10

    Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

  • The declaration of the HHS Fact Sheet on Business Associates direct liability is to be expected as part of the government agency’s continues effort on fostering a comprehensive and robust enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA safeguards protection of health information privacy, security of electronic records, administrative simplification, and insurance portability.