August 19, 2017

August 18, 2017

Subscribe to Latest Legal News and Analysis

August 17, 2017

Subscribe to Latest Legal News and Analysis

August 16, 2017

Subscribe to Latest Legal News and Analysis

Direct Liability and Responsibilities Under the HIPAA Final Rule: What Should Business Associates Know?

Under the recently released HIPAA final rule, business associates are now directly liable for both the use and disclosure of protected health information (PHI) in violation of the Privacy Rule or the Security Rule. Business associates should be aware of the consequences of this significant change in their accountability for HIPAA breaches. Direct liability means that, just as with covered entities, business associates in violation of HIPAA will now be subject to civil and criminal penalties for their actions.

In addition to considering the penalties of a HIPAA violation, business associates should also be aware of the new obligations arising under the HIPAA final rule. While HIPAA requirements previously focused on covered entities, under the final rule, business associates will have to prepare for a new set of obligations. Specifically, business associates must:

(1) Maintain records and submit compliance reports as Department of Health and Human Services (HHS) may deem necessary to determine whether the business associate has complied with applicable HIPAA provisions and has cooperated with compliance investigations and reviews;

(2) Notify the covered entity following the discovery of a breach of unsecured PHI;

(3) Make reasonable efforts to limit use and disclosure of PHI, or requests for PHI, to the minimum extent necessary to accomplish the intended purpose;

(4) Enter into HIPAA compliant business associate agreements (BAA) with subcontractors that handle PHI;

(5) Provide an accounting of disclosures, and;

(6) Disclose PHI needed by a covered entity to respond to an individual’s request for an electronic copy of his/her PHI.

As we discussed last week, subcontractors should also pay close attention to changing requirements for business associates. Subcontractors who create, receive, or transmit PHI on behalf of business associates will now be considered business associates themselves, and will thus also be subject to direct liability under HIPAA.

This entry is part of an ongoing series on the Barnes & Thornburg Healthcare Blog regarding the HIPAA final rule released on Jan. 17, 2013. Continue to visit for new updates and analysis.



About this Author

The Barnes & Thornburg Healthcare Department regularly represents physicians, medical groups, managed care organizations, hospitals, nursing homes, and national healthcare-related associations located around the country. Given our healthcare practice, we understand the unique commercial and regulatory environment in which healthcare organizations operate. Our attorneys bring their problem-solving and consensus-building skills to listen carefully to the goals of their clients and recommend practical solutions.