top of page
Search

Business Associates Liable for HIPAA Breaches

Writer's picture: Ledbetter Parisi LLCLedbetter Parisi LLC

The Office of Civil Rights (OCR), the office within the Department of Health and Human Services that enforces HIPAA rules, recently entered into a $100,000 settlement with a business associate that violated HIPAA by allowing hackers to access the electronic protected health information (PHI) of 3.5 million people.

Under HIPAA, a business associate is an organization or person that creates, receives, maintains, or transmits protected health information while providing services to a covered entity—like a health plan—or to another business associate. After this settlement, OCR published guidance on actions that could lead to direct liability of a business associate under HIPAA. Examples of violations include:

  • Refusing to cooperate with OCR in determining compliance

  • Failure to follow HIPAA security rules

  • Failure to provide notification to a covered entity of a breach

  • Unauthorized use and disclosure of PHI

  • Failure to limit disclosure of PHI to the minimum amount necessary

  • Failure to enter into a business associate agreement with a subcontractor.

The settlement and the guidance serve as a reminder to covered entities and business associates alike of a business associate's responsibilities and the potential consequences of noncompliance under HIPAA.


13 views0 comments

© 2024 by Ledbetter Partners LLC

bottom of page