OCR issues guidance on BA liability in protecting health data

Register now

The HHS Office for Civil Rights has issued a fact sheet listing all situations for which a healthcare business associate can be held liable for not following the rules.

The federal agency issued the information to help business associates better understand their liability for complying with HIPAA privacy, security, breach notification and enforcement rules under the HITECH Act.

The fact sheet is timely in the wake of a huge data breach in June suffered by Quest Diagnostics, a nationwide laboratory chain, after a billing and collections business associate of Quest reported unauthorized access to its information systems, which potentially could jeopardize the data of 11.9 million Quest patients. The same contractor also put at risk patient information held by LabCorp, a major medical testing firm.

In accordance with HITECH rules, OCR has authority to take action against BAs for 10 types of transgressions. They include:

• Failing to provide the Secretary of Health and Human Services with records and compliance reports, and failing to cooperate with complaint investigations and compliance reviews.

• Taking any retaliatory action against anyone for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under HIPAA rules.

• Failing to comply with the requirements of the Security Rule.

• Failing to provide breach notification to a covered entity or another business associate.

• Impermissibly using and disclosing protected health information.

• Failing to disclose a copy of electronic PHI to either the covered entity, the individual or the individual’s designee, to satisfy a covered entity’s obligations about the form and format of access, and the time and manner of access under rule 45 C.F.R.164.524(c)(2) (ii) and 3(ii), respectively.

• Failing to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

• Failing in certain circumstances to provide an accounting of disclosures.

• Failing to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failing to comply with the implementation specifications for such agreements.

• Failing to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

More comprehensive background and guidance is available here.

For reprint and licensing requests for this article, click here.