Pension & Benefits News OCR issues fact sheet covering business associate liability under HIPAA rules
Thursday, June 13, 2019

OCR issues fact sheet covering business associate liability under HIPAA rules

By Pension and Benefits Editorial Staff

The HHS Office for Civil Rights (OCR) has issued a new fact sheet compiling all provisions through which business associates of covered entities, such as health plans, can be held directly liable for compliance with certain Health Insurance Portability and Accountability Act (HIPAA) rules in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has authority to take enforcement action against business associates for, among other things, failure to provide records and compliance reports or retaliating against individuals who file HIPAA complaints.

Background. Because most health care providers and plans do not carry out all their own activities and functions by themselves, the privacy rules allows them to use the services of business associates to perform those services. Business associates are those persons or entities that perform functions or activities involving the use, or disclosure of, protected health information on behalf of covered entities. Business associates may include third party administrators that assist with claims processing, consultants who perform utilization reviews, or pharmacy benefits managers who manage a health plan’s pharmacist network.

In 2013, OCR issued a final rule identifying provisions of the HIPAA rules that apply directly to business associates and for which business associates are directly liable.

New guidance. According to the new fact sheet, OCR has authority to take enforcement action against business associates only for specific requirements and prohibitions of the HIPAA rules. Business associates who retaliate in any way against individuals for filing a HIPAA complaint, for participating in an investigation or other enforcement process, or for opposing an act or practice that is unlawful under the HIPAA rules are subject to liability.

Additionally, business associates that fail to comply with Security Rule requirements, fail to provide breach notification to a covered entity or another business associate, engage in impermissible uses and disclosures of personal health information or fail to disclose a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) are subject to liability.

OCR can also pursue enforcement against business associates who fail to make reasonable efforts to limit personal health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request or who, in certain circumstances, fail to provide an accounting of disclosures.

The fact sheet also states that a failure to enter into business associate agreements with subcontractors that create or receive personal health information on their behalf, and failure to comply with the implementation specifications for such agreements will result in liability. Lastly, a failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement will result in liability.


Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More