to the Department of Health and Human Services (HHS), business associates of
HIPAA covered entities may be held liable for noncompliance of certain HIPAA rules
and requirements. HHS has provided the following list of HIPAA violations that
business associates can be held fully liable.
to provide the Secretary with records and compliance reports; cooperate with
complaint investigations and compliance reviews; and permit access by the
Secretary to information, including protected health information (PHI),
pertinent to determining compliance.
any retaliatory action against any individual or other person for filing a
HIPAA complaint, participating in an investigation or other enforcement
process, or opposing an act or practice that is unlawful under the HIPAA Rules.
to comply with the requirements of the Security Rule.
to provide breach notification to a covered entity or another business
uses and disclosures of PHI.
to disclose a copy of electronic PHI (ePHI) to either the covered entity, the
individual, or the individual’s designee (whichever is specified in the
business associate agreement) to satisfy a covered entity’s obligations
regarding the form and format, and the time and manner of access under 45
C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
to make reasonable efforts to limit PHI to the minimum necessary to accomplish
the intended purpose of the use, disclosure, or request.
in certain circumstances, to provide an accounting of disclosures.
to enter into business associate agreements with subcontractors that create or
receive PHI on their behalf, and failure to comply with the implementation
specifications for such agreements.
to take reasonable steps to address a material breach or violation of the
subcontractor’s business associate agreement.
for HIPAA Violations by Business Associates
be using the following penalty structure detailed below for HIPAA Violations by
per violation. Maximum $25,000 per year) - Unaware
of the HIPAA violation and by exercising reasonable due diligence would not have
known HIPAA rules had been violated.
-$50,000 per violation. Maximum $100,000 per year) - Reasonable
cause that the covered entity knew about or should have known about the
violation by exercising reasonable due diligence.
- Tier 3 ($10,000-$50,000 per
violation. Maximum $250,000 per year) - Willful
neglect of HIPAA rules with the violation corrected within 30 days of
- Tier 4 ($50,000 per violation.
Maximum $1.5 million per year) - Willful
neglect of HIPAA rules and no effort made to correct the violation within 30
days of discovery.
further questions regarding HIPAA requirements for business associates, contact
the experts at MedSafe for a free consultation. MedSafe is the nation's leading
one-stop resource for outsourced safety and health compliance solutions in