The new rules make business associates directly responsible for complying with the security rule. Previously, only a covered entity had directly responsibility for compliance, with their business associates having responsibility only to the covered entity via contract. This is an important distinction as this places significantly more liability on vendors and sub-contractors who are deemed to be business associates.
The rules require business associates to:
- Use or disclose PHI only as permitted or required by the business associate agreement or by law.
- Not use or disclose PHI in a manner that would violate the privacy rule if done by the covered entity
- Disclose PHI when required by the HHS to investigate or determine the business associate’s compliance with HIPAA/HITECH
- Disclose PHI to the covered entity, or to the individual or individual’s designee to facilitate compliance with the individual’s request for his or her electronic PHI
- Provide an individual or the individual’s designee with a copy of their PHI in an electronic format, if the individual so chooses, to the extent the entity maintains PHI in an electronic health record
- Limit the PHI that business associates use, disclose or request to the minimum necessary to accomplish the intended purposes of the use, disclosure or request
- Respond to known noncompliance with the rules or business associate agreement restrictions by their business associate subcontractors.
As a result, business associates are directly liable under the rules for failures to fulfill these responsibilities, including:
- Uses and disclosures of PHI that are inconsistent with the privacy rule
- Uses and disclosures of PHI that would violate the privacy rule if done by the covered entity
- Failure to disclose PHI when required by the Department of Health and Human Services to investigate and determine the business associate’s compliance with the rules
- Failure to disclose PHI to the covered entity, or to the individual to whom the information pertains, or the individual’s designee, as necessary to fulfill covered entity’s obligations to provide the information to the individual
- Failure to make reasonable effort to limit PHI to the minimum necessary to accomplish the intended purposes of use or disclosure of, or request for, the PHI
- Failure to enter into a business associate agreement with subcontractors that access PHI on their behalf
- Failure to take reasonable action in response to a covered subcontractor’s noncompliance with the rules or the requirements of the business associate agreement
For more information on our Technology Partners HIPAA Compliance Services, contact Brian Rosenfelt by leaving a comment below, or by calling 440-449-6800.