Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            When are Business Associates Directly Liable for HIPAA Violations?

            Modified on Thu, 8 Aug at 9:49 AM

            DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

            The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) has authority to take enforcement action against business associates only for the requirements and prohibitions of the HIPAA Rules as set forth below.


            Business associates are directly liable for HIPAA violations as follows: 


            1. Failure to provide the HHS Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.

            2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

            3. Failure to comply with the requirements of the Security Rule.

            4. Failure to provide breach notification to a covered entity or another business associate.

            5. Impermissible uses and disclosures of PHI.

            6. Failure to disclose a copy of electronic PHI (ePHI) to either (a) the covered entity or (b) the individual or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations under 45 CFR 164.524(c)(2)(ii) and 3(ii), respectively, with respect to an individual’s request for an electronic copy of PHI.

            7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

            8. Failure, in certain circumstances, to provide an accounting of disclosures.

            9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
            10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0