The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) has been able to hold “business associates” directly liable for certain HIPAA violations since 2009, with the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under HIPAA, a “business associate” is an entity that receives protected health information (PHI) in order to provide services to a “covered entity” (such as a health care provider, a health plan, or a heath care clearinghouse).

The OCR’s enforcement tools include criminal charges as well as potentially substantial civil penalties. In 2016, for example, the OCR entered into a $650,000 settlement with the Catholic Health Care Services of the Archdiocese of Philadelphia. More recently, on May 23, 2019, the OCR reached a $100,000 settlement with Medical Informatics Engineering, Inc., another business associate, for HIPAA violations.

The day after the OCR’s most recent settlement, HHS released a Fact Sheet that lists the HIPAA violations for which a business associate may be directly liable to the OCR. Generally, business associates: (1) must completely comply with the HIPAA Security Rule; (2) must comply a significant portion of the HIPAA Privacy Rule; and (3) must report breaches of unsecured PHI to covered entities or other business associates under the HIPAA Breach Notification Rule.

More specifically, a business may be liable for:

  • Failing to provide records and compliance reports to HHS.
  • Failing to cooperate with complaint investigations and compliance reviews.
  • Failing to give HHS access to information, including PHI, pertinent to determining compliance.
  • Retaliating against any person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that violates HIPAA.
  • Failing to comply with the requirements of the HIPAA Security Rule.
  • Failing to notify a covered entity or another business associate of a breach.
  • Impermissible uses and disclosures of PHI.
  • Failing to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access.
  • Failing to make reasonable efforts to limit PHI to the minimum necessary.
  • Failing, in certain circumstances, to provide an accounting of disclosures.
  • Failing to enter into business associate agreements with subcontractors that create or receive PHI on the business associate’s behalf, or failing to comply with the implementation specifications of such agreements.
  • Failing to take reasonable steps to address a material breach or violation of a subcontractor’s business associate agreement.

For other HIPAA violations, the OCR may have limited authority to hold a business associate directly liable. For example, the Fact Sheet specifically notes that the “OCR lacks the authority to enforce the ‘reasonable, cost-based fee’ limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates.” As a result, the OCR only has the authority to go after the covered entity for such violation, even though the business associate committed the violation.  

It is unclear if the OCR’s recent settlement and release of the Fact Sheet indicate that the OCR will be ramping up enforcement proceedings against business associates. But that is a possibility. As a result, business associates should be mindful of their potential liability, and covered entities should continue to monitor their business associates for HIPAA compliance.