Direct Liability of Business Associates

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2 Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.3

As set forth in the HITECH Act and OCR’s 2013 final rule, OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below.

Business associates are directly liable for HIPAA violations as follows:

1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.4
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.5
3. Failure to comply with the requirements of the Security Rule.6
4. Failure to provide breach notification to a covered entity or another business associate.7
5. Impermissible uses and disclosures of PHI.8
6. Failure to disclose a copy of electronic PHI (ePHI) to either (a) the covered entity or (b) the individual or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations under 45 CFR 164.524(c)(2)(ii) and 3(ii), respectively, with respect to an individual’s request for an electronic copy of PHI.9
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.10
8. Failure, in certain circumstances, to provide an accounting of disclosures.11
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.12
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.13

For example, where the business associate’s agreement with a covered entity requires it to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure. (See No. 6 above.)

By contrast, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 CFR 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates. A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged. If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.

1. The HITECH Act was enacted as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5.
• back to note 1 2. 78 FR 5566 (January 25, 2013).
• back to note 2 3. See 78 FR 5566.
• back to note 3 4. See 45 CFR 160.310, 164.502(a)(4)(i).
• back to note 4 5. See 45 CFR 160.316.
• back to note 5 6. See HITECH Act 13401, 42 U.S.C. 17931 (making 45 CFR 164.308, 164.310, 164.312, and 164.316 directly applicable to business associates, as well as any other security provision that the HITECH Act made applicable to covered entities); 45 CFR 164.306, 164.308, 164.310, 164.312, 164.314, 164.316.
• back to note 6 7. See 45 CFR 164.410, 164.412.
• back to note 7 8. See 45 CFR 164.502(a)(3).
• back to note 8 9. See 45 CFR 164.502(a)(4)(ii).
• back to note 9 10. See 45 CFR 164.502(b).
• back to note 10 11. See HITECH Act 13405(c)(3), 42 U.S.C. 17935(c)(3) (“A business associate included on a list under subparagraph (b) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.”). OCR plans to issue rulemaking on the accounting of disclosures as required by HITECH Act 13405(c)(2).
• back to note 11 12. See 45 CFR 164.502(e)(1)(ii), 164.504(e)(5).
• back to note 12 13. See 45 CFR 164.504(e)(1)(iii) (“A business associate is not in compliance with the standards in 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor's obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.”).
• back to note 13

Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.