HHS Publishes New Fact Sheet on Business Associate Direct Liability
On May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a new fact sheet providing a compilation of all provisions through which a business associate may be held directly liable with the HIPAA Privacy, Security, Breach Notification, and Enforcement regulations (collectively the HIPAA Rules). This fact sheet is intended to make it as easy as possible for business associates to understand and comply with their obligations under HIPAA Rules.
Pursuant to HIPAA Rules, OCR has authority to take enforcement action directly against business associates only for the following requirements and prohibitions of the HIPAA Rules.
Within the fact sheet, OCR provided two non-exclusive scenarios illustrating when the HIPAA Rules can (and cannot) lead to direct liability for business associates. For example, where the business associate’s agreement with a covered entity requires it to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure. However, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the fee limitation provision only applies to covered entities, not to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.
The new HHS fact sheet is available here.
If you have any questions regarding business associate liability under HIPAA Rules or any other HIPAA compliance related questions, please contact your Dinsmore health care attorney.
 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii).
Link to article
- Resolutions of the Hungarian data protection authority imposing fines under the GDPR (21 June 2019)
- Time to Take Another Bite of S-chips
- New York on Verge of Passing Landmark Data Security Legislation
- What to Watch Out For in Case of a Hard Brexit and ZUVIZK
WSG Member: Please login to add your comment.