top of page
  • Writer's pictureLedbetter Parisi LLC

Business Associates Liable for HIPAA Breaches

The Office of Civil Rights (OCR), the office within the Department of Health and Human Services that enforces HIPAA rules, recently entered into a $100,000 settlement with a business associate that violated HIPAA by allowing hackers to access the electronic protected health information (PHI) of 3.5 million people.

Under HIPAA, a business associate is an organization or person that creates, receives, maintains, or transmits protected health information while providing services to a covered entity—like a health plan—or to another business associate. After this settlement, OCR published guidance on actions that could lead to direct liability of a business associate under HIPAA. Examples of violations include:

  • Refusing to cooperate with OCR in determining compliance

  • Failure to follow HIPAA security rules

  • Failure to provide notification to a covered entity of a breach

  • Unauthorized use and disclosure of PHI

  • Failure to limit disclosure of PHI to the minimum amount necessary

  • Failure to enter into a business associate agreement with a subcontractor.

The settlement and the guidance serve as a reminder to covered entities and business associates alike of a business associate's responsibilities and the potential consequences of noncompliance under HIPAA.

13 views0 comments
bottom of page