New Business Associate HIPAA Guidelines Released by OCR

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released new HIPAA guidelines for business associate requirements in May 2019. These guidelines reinforce a business associate’s liability under HIPAA law. The HHS has identified 10 areas in which business associates (BAs) are held accountable. 

1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.4
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.5
3. Failure to comply with the requirements of the Security Rule.6
4. Failure to provide breach notification to a covered entity or another business associate.7
5. Impermissible uses and disclosures of PHI.8
6. Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.9
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.10
8. Failure, in certain circumstances, to provide an accounting of disclosures.11
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.12
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.13 

The new business associate HIPAA guidelines were released to clarify a business associate’s responsibility to protecting PHI. Recently, there have been large-scale data breaches of business associates due to a lack of understanding that they must be HIPAA compliant. Business associates must have adequate administrative, technical, and physical safeguards in place to protect the PHI that they are working with. Without safeguards in place, in the event of a breach, and a subsequent HIPAA audit, your organization could be subject to sanctions and costly fines. 

Need Help with the New Business Associate HIPAA Guidelines?

Business associates must be aware of all aspects of HIPAA law that they are subject to. Compliancy Group simplifies your compliance allowing you to confidently focus on your business. Our cloud-based compliance software the Guard™ can be accessed from any device connected to the internet. In addition, the Guard™ stores all that you need to prove your “good faith effort” towards compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA compliance needs!