New HHS Fact Sheet on Direct Liability of Business Associates Under HIPAA

Posted on Monday, June 3, 2019 1:17 AM

The Health and Human Services Office for Civil Rights has issued a new fact sheet that provides a clear list of instances through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”).
OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.
1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
3. Failure to comply with the requirements of the Security Rule.
4. Failure to provide breach notification to a covered entity or another business associate.
5. Impermissible uses and disclosures of PHI.
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
8. Failure, in certain circumstances, to provide an accounting of disclosures.
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

Source: NAHC Report


About Corridor

Corridor is the nation’s preferred partner and trusted business advisor to home health and hospice providers, providing quality services and impactful results for 30 years. Focusing on key operational, regulatory and financial challenges, Corridor delivering industry-unique solutions and deep expertise in coding, clinical documentation review, compliance, billing and collections , consulting and provider staff education . At Corridor, we make the business of caring for people Better! For the most important industry updates and news that impacts home health and hospice, please make sure to sign up for our weekly newsletter to receive the latest up-to-date industry information direct to your inbox!

For additional information, please contact Corridor at 1-866-263-3795.

Go Back

Explore Corridor’s Solutions

Share This Story, Choose Your Platform!