Direct Liability of Business Associates

As published by: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2 Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.3

As set forth in the HITECH Act and OCR’s 2013 final rule, OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below.

Business associates are directly liable for HIPAA violations as follows:

By contrast, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.

Reference: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html