• Skip to main content

DistilGovHealth

DistilNFO GovHealth Advisory

  • Publications
    • Home
    • DistilINFO HealthPlan
    • DistilINFO HospitalIT
    • DistilINFO IT
    • DistilINFO Retail
    • DistilINFO POPHealth
    • DistilINFO Ageing
    • DistilINFO Life Sciences
    • DistilINFO GovHealth
    • DistilINFO EHS
    • DistilINFO HealthIndia
    • Subscribe
    • Submit Article
    • Advertise
    • Newsletters

New HHS Fact Sheet On Direct Liability of Business Associates under HIPAA

Share:

June 11, 2019

The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.

OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability,” said OCR Director Roger Severino.  “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”

The new fact sheet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html along with OCR’s guidance on business associates.

Want to publish your own articles on DistilINFO Publications?

Send us an email, we will get in touch with you.

Date: June 12, 2019

Source: HHS.gov

Coffee with DistilINFO's Morning Updates...

Sign up for DistilINFO e-Newsletters.

Just a little bit more about you...
PROCEED
Choose Lists
BACK

Related Stories

  • OCR seeks public input on potential modifications to the HIPAA RulesOCR seeks public input on potential modifications to the HIPAA Rules
  • Request for Information on Modifying HIPAA Rules To Improve Coordinated CareRequest for Information on Modifying HIPAA Rules To Improve Coordinated Care
  • HHS OCR Clarifies When Health Plans Can Share PHI Under HIPAAHHS OCR Clarifies When Health Plans Can Share PHI Under HIPAA
  • AMA to HHS: HIPAA changes aren’t needed for care coordination — 9 notesAMA to HHS: HIPAA changes aren’t needed for care coordination — 9 notes
  • HHS Clarifies HIPAA Liability Around Third-Party Health AppsHHS Clarifies HIPAA Liability Around Third-Party Health Apps
  • OCR, DOE Updates Privacy Guidance on Sharing Student Health RecordsOCR, DOE Updates Privacy Guidance on Sharing Student Health Records

Trending This Week

Sorry. No data so far.

About Us

DistilINFO is media company that publishes Industry news, views and Interviews. We distil the information for you – saving time and keeping you up to date on your interest areas.

More About Us

Follow Us


Useful Links

  • Subscribe
  • Contact
  • Advertise
  • Privacy Policy
  • Terms of Service
  • Feedback

All Publications

  • DistilINFO HealthPlan Advisory
  • DistilINFO HospitalIT Advisory
  • DistilINFO IT Advisory
  • DistilINFO Retail Advisory
  • DistilINFO POPHealth Advisory
  • DistilINFO Ageing Advisory
  • DistilINFO Life Sciences Advisory
  • DistilINFO GovHealth Advisory
  • DistilINFO EHS Advisory
  • DistilINFO HealthIndia Advisory

© DistilINFO Publications