Yes. In the HIPAA Final Rule (i.e., HIPAA Omnibus Rule), HHS clarified that business associates and their subcontractors may now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule and certain enumerated provisions of the Privacy and Breach Notification Rules. Therefore, the Office of Civil Rights may now enforce civil monetary penalties against covered entities, business associates, and subcontractors.

In the HIPAA Final
Rule, HHS clarified the provisions for which business associates and subcontractors now face direct liability, including:
(1) impermissible uses and disclosures (45 CFR 164.502(a)(3));

(2) failure to provide breach notification to the covered entity ( 164.410);

(3) failure to provide access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee (whichever is specified in the business associate agreement) ( 164.502(a)(4)(ii));

(4) failure to disclose PHI where required by the Secretary to investigate or determine the business associate's compliance with the HIPAA Rules ( 164.502(a)(4)(i));

(5) failure to provide an accounting of disclosures (if subject to those requirements pursuant to the BA agreement) (
76 FR 31426 (May 31, 2011);

(6) failure to comply with the requirements of the Security Rule (Subpart C of Part 164)

(7) failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request ( 164.502(b));

(8) failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf ( 164.502(e)(1)(ii)).
Business associates and subcontractors should carefully review their business associate agreements (and respective subcontractor agreements) to confirm that the terms align with the changes in the HIPAA Final Rule as well as the services being provided by such parties. Reviewing the agreements is particularly important for information technology vendors (e.g., data centers, IT technicians and other service providers, data destruction vendors, etc.) providing services to healthcare providers, health plans and other covered entities because the business associate agreement (or subcontractor agreement) may change the scope of some of the obligations.

For example, with respect to the requirement to provide
"access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee," HHS stated:
[B]usiness associates are liable for providing electronic access in accordance with their business associate agreements. Therefore, business associates may provide electronic access directly to individuals or their designees, or may provide the electronic protected health information to the covered entity (which then provides the electronic access to individuals or their designees). As with many other provisions in the HIPAA Rules, the Department leaves the details to the contracting parties, and is concerned only that access is provided to the individual, not with which party provides the access.

78 FR 5599 (Jan. 25, 2013).
Depending on the services being provided, many IT vendors will not generally have direct interaction with the patient or individual and may not routinely interact with the PHI (or at least interact with it in a manner that such vendor would be best suited to provide the patient with access). As such, given that BAs and Subcontractors now have direct liability, BAs and Subcontractors would be best served by ensuring that contract provisions accurately reflect the scope of services being provided, by strike language that would otherwise expand the scope of their liability.

The HIPAA Final Rule was published in the Federal Register on January 25, 2013 and is formally titled Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule

This FAQ post, and the information on this website, has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation and the jurisdiction of each state. The information contained here is not guaranteed to be up to date. Please consult legal counsel in your state to discuss your specific circumstances.