Business Associates Liable for HIPAA Breaches

July 6, 2019

The Office of Civil Rights (OCR), the office within the Department of Health and Human Services that enforces HIPAA rules, recently entered into a $100,000 settlement with a business associate that violated HIPAA by allowing hackers to access the electronic protected health information (PHI) of 3.5 million people.

 

Under HIPAA, a business associate is an organization or person that creates, receives, maintains, or transmits protected health information while providing services to a covered entity—like a health plan—or to another business associate. After this settlement, OCR published guidance on actions that could lead to direct liability of a business associate under HIPAA. Examples of violations include:

  • Refusing to cooperate with OCR in determining compliance

  • Failure to follow HIPAA security rules

  • Failure to provide notification to a covered entity of a breach

  • Unauthorized use and disclosure of PHI

  • Failure to limit disclosure of PHI to the minimum amount necessary

  • Failure to enter into a business associate agreement with a subcontractor.

 

The settlement and the guidance serve as a reminder to covered entities and business associates alike of a business associate's responsibilities and the potential consequences of noncompliance under HIPAA.

Please reload

Featured Posts

HIPAA Fines--Not Going Away!

January 15, 2016

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services recently announced a resolution agreement with Triple-S Managemen...

1/3
Please reload

Recent Posts
Please reload

Archive
Please reload

© 2019 by Ledbetter Parisi LLC.