OCR Clarifies Direct Liability for Business Associates under HIPAA

On May 24, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a new fact sheet which lists the provisions of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA) for which a business associate can be held directly liable. As the fact sheet notes, the OCR has authority to take enforcement action against business associates only for the following requirements and prohibitions of HIPAA:

Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under HIPAA.
Failure to comply with the requirements of the Security Rule.
Failure to provide breach notification to a covered entity or another business associate.
Impermissible uses and disclosures of PHI.
Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Failure, in certain circumstances, to provide an accounting of disclosures.
Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

OCR’s Director, Roger Severino stated, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” A “business associate” is, generally speaking, a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples of business associates include legal and accounting firms, consultants, billing companies, and medical record providers.

Although this fact sheet is newly released, the OCR has previously taken enforcement action directly against business associates. For example, in 2016, the OCR entered into a $650,000 settlement with a management and information technology service provider after the theft of a mobile device, which was unencrypted and failed to include password protection, compromised the PHI of hundreds of nursing home residents. In addition, on May 23, 2019, a medical record service entered into a $100,000 settlement with the OCR for failing to conduct a comprehensive risk analysis, one of the requirements under the Security Rule, which could have identified the vulnerability in its system which allowed hackers to access the PHI of approximately 3.5 million people.

The OCR’s fact sheet is an important reminder to business associates to minimize potential liability under HIPAA by complying with and documenting the requirements outlined above.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.