HHS Confirms When Business Associates Can be Held Directly Liable for HIPAA Violations

What is a HIPAA Violation? HIPAAGuide.net

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and the subsequent HIPAA Omnibus Final Rule of 2013, required business associates of HIPAA covered entities to comply with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

Prior to the HITECH Act, business associates only had a contractual responsibility to comply with HIPAA Rules. If they were discovered to have violated HIPAA Rules, they could not be held directly liable for those HIPAA failures.

The HIPAA Omnibus Final Rule defined which aspects of HIPAA Rules business associates were required to comply with and the Department of Health and Human Services’ Office for Civil Rights (OCR) was given the authority to issue civil monetary penalties to business associates that were discovered to have violated HIPAA Rules.

On May 24, 2019, OCR issued a new fact sheet that confirmed the violations of HIPAA Rules that can result in enforcement actions against business associates. The fact sheet was released to make it as easy as possible for business associates to understand their obligations under HIPAA and to help ensure patient rights are protected.

The fact sheet confirms that OCR can only take enforcement actions against business associates for the following HIPAA violations:

  1. The failure to cooperate with a HHS investigation, a failure to provide records and compliance reports, or give the Secretary of the HHS access to information, including PHI, in order to assess compliance with HIPAA Rules.
  2. Retaliating against an individual who has filed a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  3. Failure to comply with the requirements of the HIPAA Security Rule
  4. Failure to notify a covered entity or another business associate about a data breach
  5. Impermissible uses and disclosures of PHI
  6. Failure to disclose ePHI to a covered entity, an individual, or the individual’s nominated representative to meet a covered entity’s obligations under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii).
  7. A failure to comply with the HIPAA Minimum Necessary Standard
  8. A failure to provide an accounting of disclosures, in certain circumstances
  9. Failure to enter into business associate agreements with subcontractors who create, receive, store, transmit, or process PHI on behalf of the business associate and a failure to comply with the implementation specifications of BAAs
  10. A failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.

A failure to comply with HIPAA can see business associates fined for HIPAA violations. Under the new penalty structure adopted by the HHS in 2019, the penalties for HIPAA violations are:


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/