On May 24, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a new fact sheet which lists the provisions of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA) for which a business associate can be held directly liable. As the fact sheet notes, the OCR has authority to take enforcement action against business associates only for the following requirements and prohibitions of HIPAA:
OCR’s Director, Roger Severino stated, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” A “business associate” is, generally speaking, a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples of business associates include legal and accounting firms, consultants, billing companies, and medical record providers.
Although this fact sheet is newly released, the OCR has previously taken enforcement action directly against business associates. For example, in 2016, the OCR entered into a $650,000 settlement with a management and information technology service provider after the theft of a mobile device, which was unencrypted and failed to include password protection, compromised the PHI of hundreds of nursing home residents. In addition, on May 23, 2019, a medical record service entered into a $100,000 settlement with the OCR for failing to conduct a comprehensive risk analysis, one of the requirements under the Security Rule, which could have identified the vulnerability in its system which allowed hackers to access the PHI of approximately 3.5 million people.
The OCR’s fact sheet is an important reminder to business associates to minimize potential liability under HIPAA by complying with and documenting the requirements outlined above.