…when it comes to business associates.
It was old fashioned carelessness. They lost track of thousands of paper records. The losses weren’t caused by theft.
Business Associates have been required to comply with HIPAA since 2009 after passage of the HITECH law. In 2013 HIPAA was revised to name the specific rules of that business associates must follow. Last week OCR issued a new “Fact Sheet” to provide clear guidance around business associate liability. The fact sheet doesn’t change the 2013 “final rule,” but is designed to clarify the rule and highlight its importance.
There are ten violations listed in the Fact Sheet – all listed at the end – but three key points commonly missed are:
- Failure to comply with the Security Rule (solution: a thorough Risk Analysis every year)
- Impermissible uses and disclosures of PHI (solution: updated HIPAA policies and workforce training)
- Failure to enter into and follow business associate agreements with subcontractor business associates (solution: subcontractor business associate due diligence)
The HIPAA E-Tool® has answers for both covered entities and business associates. For covered entities, learn how to identify business associates, see guidance and easy-to-use due diligence forms, and a HIPAA compliant business associate agreement that suits your organization.
For business associates, the Business Associate Edition guides you through your HIPAA responsibilities and provides HIPAA-compliant agreements for your use.
From the Fact Sheet – business associates are directly liable for the following HIPAA violations:
- Failure to provide the regulator records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit HHS access to information including pertinent protected health information (PHI).
- Taking any retaliatory action against any individual for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.