Advertisement

May 22, 2013

Direct Liability and Responsibilities Under the HIPAA Final Rule: What Should Business Associates Know?

Barnes & Thornburg LLP - a national law firm of more than 550 professionals
Nita Garg
Barnes & Thornburg LLP
Wednesday, January 30, 2013
Administrative & Regulatory / Health Law & Managed Care
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

Under the recently released HIPAA final rule, business associates are now directly liable for both the use and disclosure of protected health information (PHI) in violation of the Privacy Rule or the Security Rule. Business associates should be aware of the consequences of this significant change in their accountability for HIPAA breaches. Direct liability means that, just as with covered entities, business associates in violation of HIPAA will now be subject to civil and criminal penalties for their actions.

In addition to considering the penalties of a HIPAA violation, business associates should also be aware of the new obligations arising under the HIPAA final rule. While HIPAA requirements previously focused on covered entities, under the final rule, business associates will have to prepare for a new set of obligations. Specifically, business associates must:

(1) Maintain records and submit compliance reports as Department of Health and Human Services (HHS) may deem necessary to determine whether the business associate has complied with applicable HIPAA provisions and has cooperated with compliance investigations and reviews;

(2) Notify the covered entity following the discovery of a breach of unsecured PHI;

(3) Make reasonable efforts to limit use and disclosure of PHI, or requests for PHI, to the minimum extent necessary to accomplish the intended purpose;

(4) Enter into HIPAA compliant business associate agreements (BAA) with subcontractors that handle PHI;

(5) Provide an accounting of disclosures, and;

(6) Disclose PHI needed by a covered entity to respond to an individual’s request for an electronic copy of his/her PHI.

As we discussed last week, subcontractors should also pay close attention to changing requirements for business associates. Subcontractors who create, receive, or transmit PHI on behalf of business associates will now be considered business associates themselves, and will thus also be subject to direct liability under HIPAA.

This entry is part of an ongoing series on the Barnes & Thornburg Healthcare Blog regarding the HIPAA final rule released on Jan. 17, 2013. Continue to visit www.bthealthlaw.com for new updates and analysis.

© 2013 BARNES & THORNBURG LLP

About the Author

Nita Garg
Staff Attorney

Nita Garg is a staff attorney in Barnes & Thornburg LLP’s Chicago office and a member of the firm’s Health Care Department.

nita.garg@btlaw.com
312-214-4847
www.btlaw.com

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.