Since the Department of Health and Human Services enforced the requirements of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities thht violate HIPAA Rules can be charged directly.
On May 24, 2019, the HHS’ Office for Civil Rights spelled out which HIPAA violations that a business associate commits can result to the charging of a financial penalty.
Non-compliance of business associates of HIPAA covered entities with the following HIPAA Rules requirements and prohibitions will get penalized. OCR cannot issue any financial penalty to business associates if the HIPAA violation committed is not in the list below.
- Not providing the Secretary with data and compliance reports; not helping with investigations of complaints or compliance evaluations; and not providing the Secretary access to information required to determine compliance
- Retaliating against any individual who files a HIPAA complaint, helps in investigations or opposes illegal practices covered by the HIPAA Rules.
- Not adhering to the Security Rule requirements.
- Not informing a covered entity or business associate that a breach occurred.
- Impermissible use or disclosure of PHI
- Not sharing an electronic PHI (ePHI) copy with the covered entity, the person or a designee stated in the business associate agreement in fulfillment of a covered entity’s responsibilities relating to the form and format, the time and method of access.
- Not exerting adequate efforts to limit PHI use, disclosure or request to the minimum needed to satisfy the designed objective.
- Not giving an accounting of disclosures in a number of instances.
- Not signing a business associate agreement with subcontractors prior to creating or accessing PHI and not complying with BAA requirements.
- Not doing anything to address a physical breach or a BAA violation by a subcontractor.
The HHS Fact Sheet regarding the direct responsibility of business associates is available here.