Is HIPAA Only for Medical Providers?

The Health Insurance Portability and Accountability Act applies to covered entities who transmit, receive, store, maintain, or create protected health information. These include healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers frequently enter into agreements with vendors to assist with tasks such as claims processing, billing activities, legal services, accounting services, consulting services, administrative services, and even software or hardware support. These vendors, if they create, maintain, receive, store, or transmit protected health information, are regarded as “business associates” under HIPAA. In 2009, the Department of Health and Human Services (HHS), recognizing that business associates who handle PHI must be meaningfully regulated, issued regulations holding business associates directly liable for certain HIPAA provisions. Is HIPAA only for medical providers? Thanks to the 2009 law, the answer is a firm “no.”

Is HIPAA Only for Medical Providers? What is Direct Liability?

Direct liability is direct responsibility for violation of a law’s terms. When direct liability was imposed on business associates, this meant that their violating a HIPAA provision could now result in a fine being directly imposed on them. 

Do you have an effective HIPAA compliance program?

Find out now by completing the HIPAA compliance checklist. 

Changing the rule to hold business associates directly liable brought them out of the legal shadows and into the world of HIPAA liability. The general rule is that business associates are directly responsible for compliance with the Security Rule. Business associates are responsible for those Privacy Rule obligations they have agreed to take on in the business associate agreement.

Is HIPAA Only for Medical Providers? What are Business Associates Directly Liable For?

OCR has authority to take enforcement action against business associates for the following infractions: 

The failure to provide the HHS Secretary with records and compliance reports; 

The failure to cooperate with HHS complaint investigations and compliance reviews;

Refusal to permit access by the HHS Secretary to information, including protected health information (PHI), pertinent to determining compliance.

Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules;

Failure to comply with the requirements of the Security Rule;

Failure to provide breach notification to a covered entity or another business associate;

Impermissible uses and disclosures of PHI;

Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under the Privacy Rule’s Right of Access provision. When a BAA requires the BA to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure; 

Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;

Failure, in certain circumstances, to provide an accounting of disclosures (generally, when a covered entity asks a business associate for an accounting after a patient has requested one, the business associate must provide that accounting to the covered entity); 

Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements;

Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

Is HIPAA Only for Medical Providers? What Can OCR Not Enforce Against BAs?

OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates. This is because the HITECH Act does not apply the fee limitation provision to business associates; the HITECH Act created direct liability with respect to the provisions noted above, but not this one.

A covered entity that contracts with a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity. The fee limitation is viewed by HHS as an aspect of the treatment relationship between doctor and patient. As such, the government chose not to hold BAs directly liable for violation of the reasonable, cost-based fee limitation.