The Department of Health and Human Services (“HHS”) may have signaled its interest in pursuing more enforcement actions against business associates. On May 24, 2019, the HHS Office for Civil Rights (“OCR”), released a fact sheet on the direct liability of business associates under the Health Insurance Portability and Accountability Act (“HIPAA”). The day before releasing its new fact sheet, OCR also announced a $100,000 settlement with a business associate because of its alleged violations of the HIPAA Security Rule.
The 2013 Final Rule issued pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act made business associates directly liable for compliance with certain requirements of the HIPAA Rules. In an effort to provide clarity about the circumstances under which a business associate can be held directly liable for noncompliance, OCR outlined the following 10 instances in which it has the authority to pursue enforcement actions against business associates (saying clearly that it “only” has authority under the following circumstances):
- Failing to provide the HHS Secretary with records and compliance reports, permit access to information and protected health information (“PHI”) to determine compliance, and cooperate with investigations and compliance reviews.
- Taking retaliatory action against any individual for filing a HIPAA complaint or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failing to comply with the requirements of the Security Rule.
- Failing to provide breach notification to a covered entity or another business associate.
- Impermissibly using and disclosing PHI.
- Failing to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee.
- Failing to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failing, in certain circumstances, to provide an accounting of disclosures.
- Failing to enter into business associate agreements with subcontractors that create or receive PHI on their behalf.
- Failing to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
In its enforcement action, OCR noted that a business associate that provides electronic medical record services to healthcare providers failed to regularly perform an assessment of the potential risks and vulnerabilities to electronic protected health information (“ePHI”). OCR initiated its investigation after the business associate filed a breach report informing OCR that hackers used a compromised user ID and password to access the ePHI of approximately 3.5 million people.
The business associate also settled the first ever HIPAA-related multistate data breach case in federal court and agreed to pay $900,000 to 16 state attorneys general (“AGs”) in relation to the same security incident. In addition to the HIPAA violations, the AGs alleged that the business associate’s security failures violated various state unfair and deceptive practice laws, breach notification statutes, and personal information protection acts.
In light of HHS’s back-to-back announcements last week (as well as the multistate settlement), business associates should be mindful of the above list of circumstances under which it can be directly liable for a HIPAA violation—and particularly of their obligations under the Security Rule.