April 24, 2014

Direct Liability and Responsibilities Under the HIPAA Final Rule: What Should Business Associates Know?

Under the recently released HIPAA final rule, business associates are now directly liable for both the use and disclosure of protected health information (PHI) in violation of the Privacy Rule or the Security Rule. Business associates should be aware of the consequences of this significant change in their accountability for HIPAA breaches. Direct liability means that, just as with covered entities, business associates in violation of HIPAA will now be subject to civil and criminal penalties for their actions.

In addition to considering the penalties of a HIPAA violation, business associates should also be aware of the new obligations arising under the HIPAA final rule. While HIPAA requirements previously focused on covered entities, under the final rule, business associates will have to prepare for a new set of obligations. Specifically, business associates must:

(1) Maintain records and submit compliance reports as Department of Health and Human Services (HHS) may deem necessary to determine whether the business associate has complied with applicable HIPAA provisions and has cooperated with compliance investigations and reviews;

(2) Notify the covered entity following the discovery of a breach of unsecured PHI;

(3) Make reasonable efforts to limit use and disclosure of PHI, or requests for PHI, to the minimum extent necessary to accomplish the intended purpose;

(4) Enter into HIPAA compliant business associate agreements (BAA) with subcontractors that handle PHI;

(5) Provide an accounting of disclosures, and;

(6) Disclose PHI needed by a covered entity to respond to an individual’s request for an electronic copy of his/her PHI.

As we discussed last week, subcontractors should also pay close attention to changing requirements for business associates. Subcontractors who create, receive, or transmit PHI on behalf of business associates will now be considered business associates themselves, and will thus also be subject to direct liability under HIPAA.

This entry is part of an ongoing series on the Barnes & Thornburg Healthcare Blog regarding the HIPAA final rule released on Jan. 17, 2013. Continue to visit for new updates and analysis.


About the Author

Nita Garg, Health Care Attorney, Barnes Thornburg, Law firm
Staff Attorney

Nita Garg is an associate in Barnes & Thornburg LLP’s Chicago office and a member of the firm’s Healthcare Department. Ms. Garg assists clients with healthcare issues, including physician employment, physician-hospital contracting, Medicare and Medicaid reimbursement, and various state and federal regulatory matters, including fraud and abuse and HIPAA. 


Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed