Direct Liability and Responsibilities Under the HIPAA Final Rule: What Should Business Associates Know?
Wednesday, January 30, 2013
patient
Print Mail Download i

Under the recently released HIPAA final rule, business associates are now directly liable for both the use and disclosure of protected health information (PHI) in violation of the Privacy Rule or the Security Rule. Business associates should be aware of the consequences of this significant change in their accountability for HIPAA breaches. Direct liability means that, just as with covered entities, business associates in violation of HIPAA will now be subject to civil and criminal penalties for their actions.

In addition to considering the penalties of a HIPAA violation, business associates should also be aware of the new obligations arising under the HIPAA final rule. While HIPAA requirements previously focused on covered entities, under the final rule, business associates will have to prepare for a new set of obligations. Specifically, business associates must:

(1) Maintain records and submit compliance reports as Department of Health and Human Services (HHS) may deem necessary to determine whether the business associate has complied with applicable HIPAA provisions and has cooperated with compliance investigations and reviews;

(2) Notify the covered entity following the discovery of a breach of unsecured PHI;

(3) Make reasonable efforts to limit use and disclosure of PHI, or requests for PHI, to the minimum extent necessary to accomplish the intended purpose;

(4) Enter into HIPAA compliant business associate agreements (BAA) with subcontractors that handle PHI;

(5) Provide an accounting of disclosures, and;

(6) Disclose PHI needed by a covered entity to respond to an individual’s request for an electronic copy of his/her PHI.

As we discussed last week, subcontractors should also pay close attention to changing requirements for business associates. Subcontractors who create, receive, or transmit PHI on behalf of business associates will now be considered business associates themselves, and will thus also be subject to direct liability under HIPAA.

This entry is part of an ongoing series on the Barnes & Thornburg Healthcare Blog regarding the HIPAA final rule released on Jan. 17, 2013. Continue to visit www.bthealthlaw.com for new updates and analysis.

© 2024 BARNES & THORNBURG LLP

Current Legal Analysis

More from Barnes & Thornburg LLP

Union Election Petitions and Labor Charges Continue Their Meteoric Rise
by: David J. Pryzbylski
HHS-OIG Highlights Anti-Fraud Safeguards for Patient Assistance Programs Backed Mainly By Drug Manufacturers
by: Jason D. Schultz , Thomas K. Petersen
Crossing The Border: Federal Circuit Confirms Patent Owner’s Ability To Recover A Reasonable Royalty Based On Foreign Activity
by: Heather B. Repicky
Did the Supreme Court Just Invite Greenhushing? Not So Fast …
by: Bruce White
U.S. Supreme Court Clarifies, and Broadens, Definition of "Transportation Worker" Under the Federal Arbitration Act
by: Michael Witczak
Legislative Update: Kentucky Significantly Shortens Limitations Period for Employment Claims
by: Aaron Vance
Some Employers Must Comply with Chicago's Sexual Harassment Law Even if They Are Not in Chicago
by: Douglas M. Oldham
Proposed California Bill Provides Workers the 'Right to Disconnect' From Work
by: Michael Witczak
3 Tips for Illinois Employers Revising Their Paid Time Off Policies to Comply with New Leave Laws
by: Douglas M. Oldham
EPA’s Selection of Recipients for $20 Billion in Greenhouse Gas Reduction Funds is Another Major Step Toward Achieving National Climate Goals
by: Bruce White

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins