HHS Issues Clarification On Business Associates Liability
On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities.
According to the HHS Fact Sheet on direct liability of business associates, fines can be incurred for;
- Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
- Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
- Failure to comply with the requirements of the Security Rule.
- Failure to provide breach notification to a covered entity or another business associate.7
- Impermissible uses and disclosures of PHI.
- Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
- Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
- Failure, in certain circumstances, to provide an accounting of disclosures.
- Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
- Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
The healthcare industry has been awaiting the clarification since the Omnibus Final Rule of 2013 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 ruled that business associates can be directly fined for violating HIPAA. However, there was ambiguity over the liability of business associates in the certain cases. The recent clarifications hope to remove such ambiguity.
Penalties for HIPAA Violations
The HITECH Act also increased the maximum penalties OCR can fine against organisations which violate HIPAA. Initially, a maximum fine of $1.5 million could be applied across all four violation tiers. However, this was re-examined in 2019 and saw the maximum penalty be reduced for three of the four tiers.
OCR considers a wide range of factors when determining the appropriate penalty, including the length of time over which violation occurred, the number of people affected, the types of data compromised, the financial means of the organization, the harmful consequences of the violation, and efforts made to voluntarily correct violations when they are discovered.
OCR also considers the organization’s willingness to assist with OCR investigations. OCR is more likely to be lenient on organizations that cooperate fully with a breach investigation.
- Tier 1: Minimum fine of $100 per violation up to $50,000 per violation. Maximum annual penalty of $25,000 for violations of an identical provision
- Tier 2: Minimum fine of $1,000 per violation up to $50,000 per violation. Maximum annual penalty of $100,000 for violations of an identical provision
- Tier 3: Minimum fine of $10,000 per violation up to $50,000 per violation. Maximum annual penalty of $250,000 for violations of an identical provision
- Tier 4: Fine of $50,000 per violation. Maximum annual penalty of $1.5 million for violations of an identical provision