Heads Up: New Guidance Issued for Business Associates Under HIPAA

June 7, 2019

By Kate Hickner and Andrew Wilber

healthcareThe HHS Office for Civil Rights (“OCR”) has issued a fact sheet clarifying which provisions of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”) apply directly to business associates.

Although the HIPAA Rules generally only apply to covered entities (i.e., health plans, health care clearinghouses or health care providers that electronically transmit health information in connection with transactions for which HHS has adopted standards), certain provisions of the HIPAA Rules also apply to the individuals or entities that use or disclose protected health information on behalf of covered entities.

These so-called business associates became directly liable for complying with certain requirements of the HIPAA Rules after Congress enacted the Health Information Technology for Economic and Clinical Health (“HITECH”) Act in 2009, and after OCR issued a 2013 final rule identifying the provisions of the HIPAA Rules that apply directly to business associates.

Incorporating the relevant provisions of the HITECH Act and the 2013 final rule, this new fact sheet clarifies that OCR may only take enforcement action against business associates for the following HIPAA violations:

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

If a business associate commits a violation other than one of the violations listed above, only the covered entity is directly liable. OCR cites as an example the “reasonable, cost-based fee limitation” in 45 C.F.R. § 164.524(c)(4). Under this limitation, a covered entity may only impose a reasonable, cost-based fee to fulfill an individual’s request for a copy of protected health information. Because this is not one of the provisions of the HIPAA Rules for which business associates are directly liable, if a business associate, acting on behalf of a covered entity, violates this limitation, OCR may only take action against the covered entity.

For further information, feel free to reach out to Kate Hickner at 216.736.7279 or keh@kjk.com or Andrew Wilber at 216.736.7298 or ajw@kjk.com, or contact any of our Healthcare professionals.


KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.