On May 24, 2019, the Office of Civil Rights (OCR) – the arm of the Department of Health and Human Services that enforces the Health Insurance Portability and Accountability Act (HIPAA) – issued a new fact sheet clarifying the specific instances in which a business associate can be found directly liable for violations of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (“HIPAA Rules”). As you may know, prior to the promulgation of the 2013 HIPAA Final Rule, liability of business associates could arise only under the terms of a business associate agreement.
The OCR’s latest fact sheet serves as a reminder to business associates that their compliance obligations arise under both business associate agreements and the HIPAA Rules, and with respect to the latter, clarifies that the OCR’s authority to take enforcement action against business associates is limited to violations of only the following requirements and prohibitions of the HIPAA Rules:
- Failure to provide the Secretary of HHS with records and compliance reports; failure to cooperate with complaint investigations and compliance reviews; and failure to permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
In our experience, the OCR has been particularly active in enforcing items 3 and 4 above. First, the Security Rule (#3 above) requires business associates to implement administrative, physical and technical safeguards to help protect the confidentiality, integrity and accessibility of protected health information (PHI). Given the burdensome nature of this rule, it is no surprise that the OCR regularly finds instances of noncompliance. Similarly, the breach notification provision (#4 above) is low-hanging fruit for OCR enforcement; if a business associate fails to adopt effective policies and procedures for breach identification and notification, the likelihood of the OCR finding liability will be much higher.
Finally, business associate agreements with subcontractors (items 9 and 10 above) should not be overlooked. Any subcontractor performing services that involve PHI received, created, or maintained on behalf of a business associate must sign a business associate agreement with terms at least as stringent as the business associate’s own agreement with the Covered Entity. We are happy to answer any questions you may have about the new fact sheet or HIPAA obligations in general. Please contact Marni Smilow Levitt at email@example.com or 508-561-4306.
For more details, the new fact sheet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html, along with OCR’s guidance related to business associates.