HHS Publishes New Fact Sheet on Business Associate Direct Liability
On May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a new fact sheet providing a compilation of all provisions through which a business associate may be held directly liable with the HIPAA Privacy, Security, Breach Notification, and Enforcement regulations (collectively the HIPAA Rules). This fact sheet is intended to make it as easy as possible for business associates to understand and comply with their obligations under HIPAA Rules.
Pursuant to HIPAA Rules, OCR has authority to take enforcement action directly against business associates only for the following requirements and prohibitions of the HIPAA Rules.
Within the fact sheet, OCR provided two non-exclusive scenarios illustrating when the HIPAA Rules can (and cannot) lead to direct liability for business associates. For example, where the business associate’s agreement with a covered entity requires it to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure. However, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the fee limitation provision only applies to covered entities, not to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.
The new HHS fact sheet is available here.
If you have any questions regarding business associate liability under HIPAA Rules or any other HIPAA compliance related questions, please contact your Dinsmore health care attorney.
 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii).
Link to article
- IRS Issues 2020 Limits for Retirement Plans
- Is a Benefit Corporation Right for You?
- The New Amendment to the KPK Law: Newly Passed Bill
- Keep Medicare Enrollment Information Correct and Current or Suffer Consequences
WSG Member: Please login to add your comment.