HHS Publishes New Fact Sheet on Business Associate Direct Liability
On May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a new fact sheet providing a compilation of all provisions through which a business associate may be held directly liable with the HIPAA Privacy, Security, Breach Notification, and Enforcement regulations (collectively the HIPAA Rules). This fact sheet is intended to make it as easy as possible for business associates to understand and comply with their obligations under HIPAA Rules.
Pursuant to HIPAA Rules, OCR has authority to take enforcement action directly against business associates only for the following requirements and prohibitions of the HIPAA Rules.
Within the fact sheet, OCR provided two non-exclusive scenarios illustrating when the HIPAA Rules can (and cannot) lead to direct liability for business associates. For example, where the business associate’s agreement with a covered entity requires it to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure. However, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the fee limitation provision only applies to covered entities, not to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.
The new HHS fact sheet is available here.
If you have any questions regarding business associate liability under HIPAA Rules or any other HIPAA compliance related questions, please contact your Dinsmore health care attorney.
 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii).
Link to article
- Indonesia on the Coronavirus (COVID-19) Outbreak: New Regulations and Policies
- Law on Digital Transformation of the Administration
- Updates to CEQA Technical Advisories on Disaster Response and Housing
- The New Regulation on the Procurement of Goods and Services in the State-Owned Enterprises Sector
WSG Member: Please login to add your comment.