News & Features

By Lynda M. Johnson, Timothy C. Ezell and Amie K. Alexander
Published in Arkansas Medical News (July/August)

On May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued clarification on all instances through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (HIPAA Rules).

The HIPAA Privacy Rule and Business Associates

A business associate is a person or organization, other than a member of a covered entity’s workforce that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of protected health information (PHI). Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

When a covered entity engages with a business associate, the Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement. In the business associate agreement, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.

Direct Business Associate Liability Under HIPAA Rules

Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. As directed in HITECH, OCR issued a final rule in 2013 to modify the HIPAA Rules to add provisions that apply directly to business associates.

This new factsheet is a clarification of these provisions. As set forth in the HITECH Act and OCR’s 2013 Final Rule, OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below.

1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance.
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
3. Failure to comply with the requirements of the Security Rule.
4. Failure to provide breach notification to a covered entity or another business associate.
5. Impermissible uses and disclosures of PHI.
6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under HIPAA Rules.
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
8. Failure, in certain circumstances, to provide an accounting of disclosures.
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

Enforcement actions against business associates by OCR has been on the rise. Since direct liability for business associates was established and extended in the 2013 Final Rule, there was little clarity as to whether OCR would pursue actions against the business associate, covered entity, or both for violations, and if so, the types of violations OCR would enforce against business associates.

This guidance from OCR serves as an important tool to business associates to avoid potential liability under the HIPAA Rules by complying with and documenting the requirements outlined above.

Written by the attorneys in the Health Law Practice Group at Friday, Eldredge & Clark, LLP, this information is not a substitute for legal advice and should be considered for general guidance only. For more information or if you have further questions, please contact one of our Health Law Attorneys.

Lynda M. Johnson has practiced in the health law area since 1986, representing a wide variety of healthcare providers including hospitals, physicians, physician groups, nursing homes, and home health agencies. Recently, her practice has focused on the representation of hospitals and physicians in HIPAA compliance efforts and other areas of regulatory compliance. Her practice also includes issues involving Stark I and II and Anti-Kickback compliance, Medicare/Medicaid reimbursement, corporate compliance issues, physician and hospital organization issues, managed care, healthcare and hospital law, long-term care and home health.

Timothy Ezell practices primarily in the area of healthcare law, representing hospitals, physician groups and other medical service providers in various corporate and compliance matters. His experience covers matters relating to HIPAA, Stark, fraud and abuse, anti-kickback, EMTALA, Medicare reimbursement, compliance, joint ventures, provider sales and acquisitions, medical staff bylaws and credentialing issues.

Amie K. Alexander joined the firm after earning her law degree from the University of Arkansas at Little Rock William H. Bowen School of Law. Her practice is focused in the area of healthcare where she works primarily on various corporate and compliance matters. She drafts and reviews policies to ensure compliance with federal healthcare regulations such as HIPAA, Stark I and Stark II, Anti-Kickback and Medicare/Medicaid reimbursement.