In an effort to make the HIPAA Privacy Rule as easy to understand as possible, the Office for Civil Rights (OCR) has come up with a list of rules that clearly explain what Business Associates are now “directly liable” for. As OCR Director Roger Severino explains, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” The list consists of ten rules that, if failed to follow, can result in penalties and monetary fines.
HHS Fact Sheet
Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
Failure to comply with the requirements of the Security Rule.
Failure to provide breach notification to a covered entity or another business associate.
Impermissible uses and disclosures of PHI.
Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Failure, in certain circumstances, to provide an accounting of disclosures.
Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
The OCR has made it very clear that even so much as simply “[failing] to comply with the requirements of the Security Rule” can result in immediate penalties as well.
To this end, one of the most important rules also includes information about Business Associate Agreements and their need for proof of Satisfactory Assurance when the Covered Entity requests this of them. Satisfactory Assurance is crucial because it ensures the Business Associate is HIPAA Compliant and therefore, must also be in the form of a contract. Because it is so often overlooked, the fact sheet has included that “Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.”
Your best next steps:
Ensure all Business Associates and Vendors have proof of Satisfactory Assurance at least annually, as well as Business Associate Agreement outlining their roles, functions and notification requirements.
If you are unsure or need assistance, call Jim Johnson with Live Compliance at (980) 999-1585.
For more information visit, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html