A HIPAA Business Associate (“Business Associate”) is an individual or entity who performs or furnishes activity or service for or on behalf of a HIPAA Covered Entity (“Covered Entity”) involving the use or disclosure of protected health information (“PHI”). The HITECH Act and OCR’s HIPAA Security final rule provides the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”) with authority to take enforcement action against Business Associates only for those requirements and prohibitions of the HIPAA Rules outlined below.
Based on recent guidance provide by OCR, Business Associates should implement a HIPAA compliance program and document compliance with the HIPAA Privacy and Security rules in order to minimize potential HIPAA enforcement actions. Covered Entities should also perform due diligence on potential Business Associates and monitor and audit Business Associate compliance.
The OCR Guidance
HIPAA Business Associates are legally obligated to comply with the terms and conditions of HIPAA Business Associate agreements with Covered Entities, however OCR issued recent guidance confirming that Business Associates are also directly liable for HIPAA violations as follows:
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a Covered Entity or another Business Associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either the Covered Entity, the individual, or the individual’s designee (whichever is specified in the Business Associate agreement) to satisfy a Covered Entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into Business Associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s Business Associate agreement.
Business Associates should review the HIPAA direct liability areas referenced above and ensure that they have policies and procedures that address each compliance requirement.
Recent OCR Enforcement Actions Against Business Associates
OCR enforcement actions against Business Associates are increasing. This year, for instance, Medical Informatics Engineering Inc. (“MIE”), a software and medical records service, agreed to pay a $100,000 settlement to OCR and enter into a corrective action plan following a username and password cyber attack that allowed hackers to access to the PHI of at least 3.5 million people. Under the corrective action plan, MIE was required to conduct a security risk assessment and implement a security risk management plan.
In 2018, Filefax, Inc., a medical records storage company, agreed to pay a $100,000 settlement to OCR for leaving PHI for 2,150 patients in an unlocked truck in a parking lot and failure to properly dispose of PHI documents.
Back in 2016, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), an information technology company, agreed to pay a $650,000 settlement to OCR and enter into a corrective action plan after an employee’s unencrypted iPhone was stolen, thereby exposing the PHI of 412 nursing home residents. Under the corrective action plan, CHCS was required to conduct a risk analysis/risk management plan, develop and implement written HIPAA policies and procedures, train the CHCS workforce on the new HIPAA policies and procedures, and to submit HIPAA compliance documentation reports to OCR for two years.
Conclusion
The OCR guidance confirms that HIPAA Business Associates are directly liable and subject to OCR enforcement actions for failure to comply with HIPAA privacy and security requirements. Business Associates are also liable to Covered Entities through Business Associate agreement contractual liability. In order to minimize potential HIPAA enforcement actions, Business Associates should implement a HIPAA compliance program and document compliance with the HIPAA Privacy and Security rules.
Covered Entities should perform due diligence on potential Business Associates and monitor and audit Business Associate compliance. In addition, Covered Entities should consider including indemnification provisions in Business Associate agreements to require the Business Associate to indemnify the Covered Entity for losses incurred due to the Business Associate’s failure to comply with the HIPAA Privacy and Security rules.
For more information on HIPAA Privacy and Security requirements for Business Associates or Covered Entities, please contact a member of Hinshaw’s Health Care Practice Group.