The HHS Office for Civil Rights (OCR) has issued a new fact sheet that provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules ("HIPAA Rules"), in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. In 2013, under the authority granted by the HITECH Act, OCR issued a final rule that, among other things, identified provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.
OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules that appear on the following list.
"As part of the Department's effort to fully protect patients' health information and their rights under HIPAA, OCR has issued this important new fact sheet clearly explaining a business associate's liability," said OCR Director Roger Severino. "We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law."Business Associates