Ledbetter Parisi LLC
Business Associates Liable for HIPAA Breaches
The Office of Civil Rights (OCR), the office within the Department of Health and Human Services that enforces HIPAA rules, recently entered into a $100,000 settlement with a business associate that violated HIPAA by allowing hackers to access the electronic protected health information (PHI) of 3.5 million people.
Under HIPAA, a business associate is an organization or person that creates, receives, maintains, or transmits protected health information while providing services to a covered entity—like a health plan—or to another business associate. After this settlement, OCR published guidance on actions that could lead to direct liability of a business associate under HIPAA. Examples of violations include:
Refusing to cooperate with OCR in determining compliance
Failure to follow HIPAA security rules
Failure to provide notification to a covered entity of a breach
Unauthorized use and disclosure of PHI
Failure to limit disclosure of PHI to the minimum amount necessary
Failure to enter into a business associate agreement with a subcontractor.
The settlement and the guidance serve as a reminder to covered entities and business associates alike of a business associate's responsibilities and the potential consequences of noncompliance under HIPAA.