OCR issues new fact sheet on business associate liability

The HHS Office for Civil Rights (OCR) issued a new fact sheet last week that clarifies the circumstances under which OCR may hold business associates (BA) directly liable.

In the New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA, OCR explains that the HITECH Act, which was clarified in 2013, identified the provisions of HIPAA that apply directly to BAs. The fact sheet identifies 10 categories of violations for which OCR has the authority to hold BAs directly liable, stating that OCR has authority to take enforcement action against BAs only for those that appear on the following list:

1. Failure to cooperate with HHS investigations and compliance reviews, including providing HHS with records, compliance reports, and information, including protected health information (PHI), pertinent to determining compliance
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint or participating in an investigation or other enforcement process
3. Failure to comply with HIPAA Security Rule requirements
4. Failure to provide breach notification to a covered entity or another business associate
5. Impermissible uses and disclosures of PHI
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee in a readily available form and format
7. Failure to make reasonable efforts to adhere to the minimum necessary standard
8. Failure to provide an accounting of disclosures in certain circumstances
9. Failure to enter into HIPAA-compliant business associate agreements (BAA) with subcontractors that create or receive PHI on their behalf
10. Failure to take reasonable steps to address a breach or violation of the subcontractor’s BAA