OCR Fact Sheet Clarifies BA Liability Under HIPAA

A blue door with two small holes in it.

The U.S. Department of Health and Human Services Office for Civil Rights recently issued a new fact sheet on the Direct Liability of Business Associates under HIPAA. The release of the fact sheet immediately followed a settlement agreement with a business associate relating to a data breach that occurred in 2015 when hackers used a compromised user ID and password to access the electronic protected health information (ePHI) of some 3.5 million individuals. (More on that later).

In issuing its fact sheet, OCR’s director stated: “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.â€

The fact sheet outlines ten violations for which business associates can be held directly liable:

  • Failure to provide records and compliance reports; cooperate with OCR complaint investigations and compliance reviews; and permit investigators with access to information, including protected health information (PHI), pertinent to determining compliance.
  • Taking retaliatory action against any individual for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  • Failure to comply with the requirements of the Security Rule.
  • Failure to provide breach notification to a covered entity or another business associate.
  • Impermissible uses and disclosures of PHI.
  • Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  • Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  • Failure, in certain circumstances, to provide an accounting of disclosures.
  • Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  • Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

However, the fact sheet notes that some other violations, such as the reasonable cost requirement for a patient’s access to their PHI, cannot be enforced directly by OCR against a business associate and that the covered entity is still responsible for these types of violations.

By law, HIPAA applies only to covered entities (i.e. health plans, healthcare clearinghouses and certain healthcare providers). However, many other business associates, such as a third-party administrator, a consultant, or a pharmacy benefits manager, need access to patients’ protected health information to do their job.

In such cases, covered entities must obtain, in writing, assurances that the business associate will safeguard the information it receives.

With regard to the previously mentioned case, the business associate involved in the 2015 data breach, Medical Informatics Engineering, Inc., is an Indiana company that provides software and electronic medical record services to healthcare providers. It agreed to pay $100,000 to OCR and take corrective action to settle the alleged violations.

Although the company filed a breach report, OCR found that it did not conduct a comprehensive risk analysis prior to the breach. HIPAA rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of an entity’s electronic protected health information.

In addition to the government penalties, sixteen states sued Medical Informatics in Indiana federal district court in December 2018. In May 2019, a federal judge signed a consent order and judgment requiring the company to pay a combined sum of $900,000 to the state defendants over the next three years. 

According to published reports, healthcare related data breaches continue to rise. In April alone, there were 46 healthcare data breaches reported, up 48 percent from the previous month. Most recently, LabCorp and Quest Diagnostics reported data breaches affecting a combined total of about 20 million patients.

These cases should serve as a warning to business associates of the need to ensure strict compliance with HIPAA and to make sure appropriate security protections for patient health information are in place.

Under HIPAA, risk assessments are required with results reviewed and deficiencies addressed. Assessments should focus on the confidentiality, availability and integrity of patients’ personal health information and should include the entire organization.

The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.

Ready to find out more?

Call 305-358-4500 to schedule a
FREE 15-minute consultation today!

Posted in

The Health Law Offices of Anthony C. Vitale

Categories