August 20, 2019

August 19, 2019

Subscribe to Latest Legal News and Analysis

OCR Clarifies Direct Liability for Business Associates under HIPAA

On May 24, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) issued a new fact sheet which lists the provisions of the HIPAA PrivacySecurityBreach Notification, and Enforcement Rules (HIPAA) for which a business associate can be held directly liable. As the fact sheet notes, the OCR has authority to take enforcement action against business associates only for the following requirements and prohibitions of HIPAA:

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under HIPAA.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

OCR’s Director, Roger Severino stated, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” A “business associate” is, generally speaking, a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Examples of business associates include legal and accounting firms, consultants, billing companies, and medical record providers. 

Although this fact sheet is newly released, the OCR has previously taken enforcement action directly against business associates. For example, in 2016, the OCR entered into a $650,000 settlement with a management and information technology service provider after the theft of a mobile device, which was unencrypted and failed to include password protection, compromised the PHI of hundreds of nursing home residents. In addition, on May 23, 2019, a medical record service entered into a $100,000 settlement with the OCR for failing to conduct a comprehensive risk analysis, one of the requirements under the Security Rule, which could have identified the vulnerability in its system which allowed hackers to access the PHI of approximately 3.5 million people.   

The OCR’s fact sheet is an important reminder to business associates to minimize potential liability under HIPAA by complying with and documenting the requirements outlined above.  

© 2019 Foley & Lardner LLP

TRENDING LEGAL ANALYSIS


About this Author

Kelly Thompson, Foley Lardner, Healthcare lawyer
Associate

Kelly Thompson is an associate and health care business lawyer with Foley & Lardner LLP. Her practice focuses on legal services for corporations, hospitals, physician practices, and other health care providers in the areas of business law and health regulatory compliance with a focus on federal and state fraud and abuse and licensure laws. 

Ms. Thompson has assisted health care providers on various health and business law issues, including federal and state privacy laws, criminal and civil fraud and abuse laws, HIPAA, employment law,...

904.633.8901
Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation to the notification of affected individuals and state and federal government regulators. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath. Prior to joining Foley, Ms. Hennessy was a health law associate with a large U.S. law firm based in Milwaukee.

617-502-3211
Jennifer L. Rathburn iFoley & Lardner LLP Milwaukee data protection programs, data incident management lawyer
Partner

Jennifer L. Rathburn is a partner with Foley & Lardner LLP. Ms. Rathburn focuses on counseling clients on data protection programs, data incident management, and breach response and recovery, as well as the monetization of data, the Health Insurance Portability and Accountability Act (HIPAA), and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational, and legal issues companies must address to maintain the confidentiality of, access to, and integrity of their...

414-297-5864