Last Friday, OCR issued a new fact sheet that outlines the ten circumstances where a Business Associate would have direct liability under HIPAA.

  1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification to a covered entity or another business associate.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

This list is a helpful resource for Business Associates looking to review existing compliance programs. While many of these points will be well understood by Business Associates, some will require a detailed analysis to make sure the Business Associate is compliant. For example, compliance with the Security Rule can differ based on both the scale and types of activities of a Business Associate. A robust compliance program will address all ten points and provide guidance for a Business Associate in ambiguous circumstances.

Our Take:

By providing an explicit list of direct risks, OCR is signaling to Business Associates that an acceptable compliance program must cover the above ten points. Considering the specificity of OCR’s fact sheet, take a moment and review your existing policies to confirm that they address the ten points. If they do not, we recommend taking action to address any holes in your existing program.