To clear up confusion about business associate liability for HIPAA violations, on May 24, 2019, the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) clarified exactly what HIPAA violations could result in a civil money penalty (“CMP”) for a business associate (“BA”).

In the 2013 Omnibus Rule, DHHS implemented the HITECH Act’s expansion of liability for HIPAA violations to include not only covered entities, but also BAs.

Under the HITECH Act and the Omnibus Rule, DHHS can hold BAs of covered entities directly liable only for the HIPAA violations detailed below. OCR does not have the authority to issue financial penalties to business associates for other HIPAA noncompliance, although the covered entity could certainly terminate their services for such a violation of the Business Associate Agreement.

Thus, DHHS may impose civil money penalties or other sanctions for only the following HIPAA violations:

1. Failure to do any of the following: provide records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the DHHS to information, including protected health information (“PHI”), pertinent to determining compliance. See 45 C.F.R. §§ 160.310, 164.502(a)(4)(i).
2. Taking any retaliatory action against any individual for doing any of the following: filing a HIPAA complaint; participating in an investigation or other enforcement process; or opposing an act or practice that is unlawful under the HIPAA Rules. See 45 C.F.R. § 160.316.
3. Failure to comply with the requirements of the Security Rule. See HITECH Act § 13401, 42 U.S.C. § 17931 (making 45 C.F.R. §§ 164.308, 164.310, 164.312, and 164.316 directly applicable to business associates, as well as any other security provision that the HITECH Act made applicable to covered entities); 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, 164.314, 164.316.
4. Failure to provide breach notification to a covered entity or another business associate.
5. Impermissible uses and disclosures of PHI.
6. Failure to disclose a copy of electronic PHI (“EPHI”) to either the covered entity, the individual, or the individual’s designee to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
8. Failure to provide an accounting of disclosures when required.
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf and failure to comply with the implementation specifications for such agreements.
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

For example, where the business associate’s agreement with a covered entity requires it to provide to an individual an electronic copy of his or her EPHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure.

By contrast, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to the individual’s PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.

Thus, it appears that few serious HIPAA violations cannot result in a business associate CMP. Further, OCR has shown no hesitation in bringing enforcement actions against business associates as illustrated by these two settlements just this past May:

• Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach – May 23, 2019.
• Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients’ Protected Health Information – May 6, 2019.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.