OCR Releases Fact Sheet on Business Associate Liability Under HIPAA
Under the HITECH Act, the US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) strengthened privacy and security protections by extending HIPAA compliance to business associates of covered entities and subcontractors. While nothing has changed within the law since 2013, the fact sheet aims to make it as easy as possible for covered entities and business associates to understand and comply with their obligations under the law.
“As part of the department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” OCR Director Roger Severino said in a statement accompanying the guidance.
As the law firm Miller Canfield points out, prior to HITECH, “business associates had liability to the covered entity involved if they breached their business associate agreements but no direct liability for HIPAA violations, such as impermissible use and disclosure of PHI.”
OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list, such as:
- Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
For more information, click here to view the full fact sheet.