Blogs > Health Care and Life Sciences Law Blog

New HHS Fact Sheet on Direct Liability of Business Associates

Negotiating a Management Services Agreement

With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, business associates became directly liable for certain privacy and security requirements under the Health Insurance Portability and Accountability Act (HIPAA).  Business associates are those individuals or entities (other than employees) who perform functions or activities on behalf of, or provide certain services to, covered entities which require access to protected health information (PHI).

In 2013, the Department of Health and Human Services Office for Civil Rights (OCR) identified provisions of HIPAA that apply directly to business associates, and for which business associates are directly liable.  In order to clarify a business associate’s direct liability, OCR issued an easy to understand fact sheet on May 24, 2019.

OCR has the authority to take enforcement action against business associates for only the following HIPAA requirements and prohibitions:

  • Failure to provide the Secretary of the Department of Health and Human Services (HHS) with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including PHI, pertinent to determining compliance
  • Taking any retaliatory action against any individual or other people for filing a HIPAA complaint, participating in an investigation or other enforcement processes, or opposing an act or practice that is unlawful under HIPAA rules
  • Failure to comply with the requirements of the HIPAA security rules
  • Failure to provide breach notification to a covered entity or another business associate
  • Impermissible uses and disclosures of PHI
  • Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§164.524(c)(2)(ii) and 3(ii), respectively
  • Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
  • Failure, in certain circumstances, to provide an accounting of disclosures
  • Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements
  • Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement
If you have any questions about this post or any related matters, please contact me at