Do Subcontractors have Direct Liability under HIPAA? Do Subcontractors have Direct Liability under HIPAA?
Yes. In the HIPAA Final Rule (i.e., HIPAA Omnibus Rule), HHS clarified that business associates and their subcontractors may now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule and certain enumerated provisions of the Privacy and Breach Notification Rules. Therefore, the Office of Civil Rights may now enforce civil monetary penalties against covered entities, business associates, and subcontractors.
In the HIPAA Final Rule, HHS clarified the provisions for which business associates and subcontractors now face direct liability, including:
(1) impermissible uses and disclosures (45 CFR § 164.502(a)(3));
(2) failure to provide breach notification to the covered entity (§ 164.410);
(3) failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee (whichever is specified in the business associate agreement) ( § 164.502(a)(4)(ii));
(4) failure to disclose PHI where required by the
Secretary to investigate or determine the business associate's
compliance with the HIPAA Rules (§ 164.502(a)(4)(i));
(5) failure to provide an accounting of disclosures (if subject to those requirements pursuant to the BA agreement) (76 FR 31426 (May 31, 2011);
(6) failure to comply with the requirements of the Security Rule (Subpart C of Part 164);
(7) failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request (§ 164.502(b)); and
(8) failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf (§ 164.502(e)(1)(ii)).
Business associates and subcontractors should carefully review their business associate agreements (and respective subcontractor agreements) to confirm that the terms align with the changes in the HIPAA Final Rule as well as the services being provided by such parties. Reviewing the agreements is particularly important for information technology vendors (e.g., data centers, IT technicians and other service providers, data destruction vendors, etc.) providing services to healthcare providers, health plans and other covered entities because the business associate agreement (or subcontractor agreement) may change the scope of some of the obligations.
For example, with respect to the requirement to provide
"access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee," HHS stated:
[B]usiness associates are liable for providing electronic access in accordance with their business associate agreements. Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.
78 FR 5599 (Jan. 25, 2013).
Depending on the services being provided, many IT vendors will not generally have direct interaction with the patient or individual and may not routinely interact with the PHI (or at least interact with it in a manner that such vendor would be best suited to provide the patient with access). As such, given that BAs and Subcontractors now have direct liability, BAs and Subcontractors would be best served by ensuring that contract provisions accurately reflect the scope of services being provided, by strike language that would otherwise expand the scope of their liability.
The HIPAA Final Rule was published in the Federal Register on January 25, 2013 and is formally titled Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
This FAQ post, and the information on this website, has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation and the jurisdiction of each state. The information contained here is not guaranteed to be up to date. Please consult legal counsel in your state to discuss your specific circumstances.
Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing
6/8/15 Two California Privacy Bills to Watch in 2015
3/28/15 When Looking at Security, Consider Every Device
3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine
1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing
12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider
11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?
11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?
11/19/14 Wearables and the Challenge for Consumer Device Makers
10/28/14 A Few Telemedicine Resources
10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Meaningful Use (4)
Privacy Litigation (3)
Identity Theft (1)
Healthcare Fraud (1)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)