Business Associates Liable for HIPAA Breaches
The Office of Civil Rights (OCR), the office within the Department of Health and Human Services that enforces HIPAA rules, recently entered into a $100,000 settlement with a business associate that violated HIPAA by allowing hackers to access the electronic protected health information (PHI) of 3.5 million people.
Under HIPAA, a business associate is an organization or person that creates, receives, maintains, or transmits protected health information while providing services to a covered entity—like a health plan—or to another business associate. After this settlement, OCR published guidance on actions that could lead to direct liability of a business associate under HIPAA. Examples of violations include:
Refusing to cooperate with OCR in determining compliance
Failure to follow HIPAA security rules
Failure to provide notification to a covered entity of a breach
Unauthorized use and disclosure of PHI
Failure to limit disclosure of PHI to the minimum amount necessary
Failure to enter into a business associate agreement with a subcontractor.
The settlement and the guidance serve as a reminder to covered entities and business associates alike of a business associate's responsibilities and the potential consequences of noncompliance under HIPAA.