HIPAA Violations of Business Associates That Can Be Issued a Financial Penalty

Since the Department of Health and Human Services enforced the requirements of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities thht violate HIPAA Rules can be charged directly.

On May 24, 2019, the HHS’ Office for Civil Rights spelled out which HIPAA violations that a business associate commits can result to the charging of a financial penalty.

Non-compliance of business associates of HIPAA covered entities with the following HIPAA Rules requirements and prohibitions will get penalized. OCR cannot issue any financial penalty to business associates if the HIPAA violation committed is not in the list below.

  • Not providing the Secretary with data and compliance reports; not helping with investigations of complaints or compliance evaluations; and not providing the Secretary access to information required to determine compliance
  • Retaliating against any individual who files a HIPAA complaint, helps in investigations or opposes illegal practices covered by the HIPAA Rules.
  • Not adhering to the Security Rule requirements.
  • Not informing a covered entity or business associate that a breach occurred.
  • Impermissible use or disclosure of PHI
  • Not sharing an electronic PHI (ePHI) copy with the covered entity, the person or a designee stated in the business associate agreement in fulfillment of a covered entity’s responsibilities relating to the form and format, the time and method of access.
  • Not exerting adequate efforts to limit PHI use, disclosure or request to the minimum needed to satisfy the designed objective.
  • Not giving an accounting of disclosures in a number of instances.
  • Not signing a business associate agreement with subcontractors prior to creating or accessing PHI and not complying with BAA requirements.
  • Not doing anything to address a physical breach or a BAA violation by a subcontractor.

The HHS Fact Sheet regarding the direct responsibility of business associates is available here.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone