New Fact Sheet From The HHS – Questions & Answers
The Health and Human Services Office for Civil Rights (OCR) has issued a new fact sheet that provides clear information about when a business associate can be held directly liable for compliance with requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”).
This is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.
What Does This Mean?
While HIPAA applies directly to health providers, health plans and clearinghouses, some of your vendors are considered business associates.
Under HIPAA, these vendors are deemed business associates if they:
- Handle protected health information “only for the purposes for which it was engaged by the covered entity,
- Will safeguard the information from misuse, and
- Will help you comply with some of the covered entity’s duties under the Privacy Rule.
This means that any IT services company you work with must be HIPAA compliant. (We are).
Why Is HHS Issuing The New Fact Sheet?
They want to provide clear guidance around business associate liability that’s outlined in a 2013 final rule issued by OCR under the authority of the HITECH Act.
OCR Director Roger Severino states:
“As part of the Department’s effort to fully protect patients’ health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate’s liability. We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.”
What’s Included In The New Fact Sheet?
There are 10 provisions where OCR has the authority to take enforcement action against a business associate.
For example, the first one explains that a business associate must provide HHS with records and compliance reports, and cooperate with complaint investigations and compliance reviews.
What Should You Do?
Refer to the OCR’s new fact sheet outlining all HIPAA and HITECH provisions and stating which business associates can be held liable. This will also help you understand when HHS can take enforcement action against your business associates.
What Are The Ten Provisions In The New Fact Sheet?
According to the new fact sheet, OCR has the authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.
Business associates are directly liable for HIPAA violations as follows:
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
What Are Some Important Things For Your Business Associates To Remember?
Your Business Associates:
- Must permit access to information, including protected health information, to the HHS when it’s pertinent to determining compliance.
- Are prohibited from taking any retaliatory action against an individual for filing a HIPAA complaint, participating in an investigation or enforcement process, or opposing a business associate’s practice deemed unlawful by HIPAA.
- Will also be held liable for failing to disclose an ePHI copy to you, an individual, or an individual’s designee that would “satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access.
- Are also required to make reasonable efforts to limit the amount of PHI to minimum necessary to complete the required use, disclosure, or request, as well as provide an accounting of disclosures in certain circumstances and enter into a business associate agreements with subcontractors that create or receive PHI on their behalf in compliance with the implementation of the agreement.
- Must take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
Failure to comply with these provisions can lead to an OCR enforcement action.
OCR will also take action for failure to comply with HIPAA, provide breach notification to a covered entity or another business associate, or for impermissible use and disclosure of PHI.
The HHS’s new fact sheet can be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html along with OCR’s guidance on business associates.
In the meantime, you can keep up-to-date on news about HIPAA and other IT topics by reading our IT Business News.