On May 24th, The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a fact sheet on direct liability of Business Associates under HIPAA. For reference, if an organization is unsure about if it is a Business Associate, a good resource can be found here.
The purpose of this fact sheet is to provide a clear compilation of all provisions through which a Business Associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.
In 2013, under the authority granted by the HITECH Act of 2009, the OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that applied directly to business associates and for which business associates are directly liable.
The fact sheet details the 10 provisions for which OCR has the authority to take enforcement action against a business associate. That might sound small, but the 3rd provision notes Business Associates must comply with all requirements of the HIPAA Security Rule. The brings in many more specific requirements that directly apply to Business Associates.
I’ve found that many Business Associates are unclear about which HIPAA provisions apply to them. Many times, they are misinformed from relying on old articles, websites, papers, or even outdated versions of the HIPAA regulation online that predated the 2013 update to identify provisions that apply directly to Business Associates. I’ve also seen Business Associates say all of the HIPAA Privacy and HITECH Breach Notification Rules do not apply to them because they are not Covered Entities.
OCR Director Roger Severino stated on the fact sheet “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”
This fact sheet is clearly laid out and provides Business Associates something that can quickly be pulled up to find at a minimum what requirements do apply to them. Depending on the type of service provided, a Business Associates may have more requirements that apply to them than what is listed in the fact sheet, but a large percentage will have only the ones listed in the fact sheet apply. The fact sheet also specifies the exact references of the provisions of HIPAA that are being described, so the reader can refer to them to review in detail. Overall, this is a great reference that all Business Associates should be aware of when considering what specifications of the HIPAA Rules that apply to them.
Read or download our published "Direct Liability of Business Associates Under HIPAA" whitepaper here.