The Department of Health and Human Services Office for Civil Rights released a fact sheet around business associate liability under HIPAA and the HITECH Act on Friday, outlining all provisions for which the agencies are authorized to take enforcement action.
The fact sheet aims to provide clear guidance around business associate liability, outlined in a 2013 final rule issued by OCR under the authority of the HITECH Act. While HIPAA applies directly to health providers, health plans and clearinghouses, some vendors fall under business associates as healthcare organizations often rely on outside vendors to perform certain services.
Under HIPAA, these vendors are deemed business associates if they handle protected health information “only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”
“As part of the department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” OCR Director Roger Severino said in a statement.
“We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law,” he added.
There are 10 provisions for which OCR has the authority to take enforcement action against a business associate. The first provision explains that a business associate must provide the agency with records and compliance reports and cooperate with complaint investigations and compliance reviews.
Further, business associates must permit access to information, including protected health information, to the agency when pertinent to determining compliance.
Under the second provision, business associates are prohibited from taking any retaliatory action against an individual for filing a HIPAA complaint, participating in an investigation or enforcement process, or opposing a business associate’s practice deemed unlawful by HIPAA.
OCR will also take action for failure to comply with HIPAA, provide breach notification to a covered entity or another business associate, or for impermissible use and disclosure of PHI.
Notably, the sixth provision explained that business associates will also be held liable for failing to disclose an ePHI copy to the covered entity, individual, or individual’s designee that would “satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access.”
Business associates are also required to make reasonable efforts to limit the amount of PHI to minimum necessary to complete the required use, disclosure, or request, as well as provide an accounting of disclosures in certain circumstances and enter into a business associate agreements with subcontractors that create or receive PHI on their behalf in compliance with the implementation of the agreement.
Lastly, business associates must “take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.” Failure to comply with these provisions can lead to an OCR enforcement action.
This is the second fact sheet released by OCR this year to address questions around HIPAA liability. In April, OCR shared insight into HIPAA liability around third-party health apps.