HHS’s Office for Civil Rights(“OCR”), which is the government agency responsible for enforcement of the HIPAA privacy, security, breach notification, and enforcement rules (the “HIPAA Rules”), recently issued a new fact sheet (“Fact Sheet”). The Fact Sheet recaps the provisions in the HIPAA Rules for which a HIPAA business associate may be held directly liable for compliance. HIPAA business associates of an employer-sponsored group health plan, which is a “covered entity” under HIPAA, would include, for example, the health plan’s third-party claims administrator, a health plan consulting firm, a benefits broker, and the health plan’s outside legal counsel, if such persons or entities create, receive, maintain, or transmit HIPAA protected health information (“PHI”) on behalf of the health plan.
The Fact Sheet clarified that OCR has authority to take enforcement action against business associates only for certain requirements and prohibitions of the HIPAA Rules as listed in the Fact Sheet, including, without limitation:
• Failure to comply with the requirements of the HIPAA security rule; • Failure to provide breach notification to a covered entity, such as an employer-sponsored group health plan, or another business associate; • Impermissible uses and disclosures of PHI;
• Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;
• Failure to enter into business associate agreements with their subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements; and
• Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
In today’s business environment, employers outsource many aspects of health plan administration to their business associates. The Fact Sheet serves as an important reminder to employers that business associates are not directly subject under the HIPAA Rules to all the requirements that apply to employer-sponsored group health plans.
Employers cannot outsource to business associates certain obligations under the HIPAA Rules with immunity from liability. For example, business associates are not directly responsible under the HIPAA Rules for the issuance and administration of required notifications to individuals, the media (in some cases), and HHS when a breach of unsecured PHI occurs, regardless of whether the business associate (or its subcontractor) is the party that commits the breach. Instead, such notification obligations remain with the health plan.
A copy of the fact sheet is available here.