Yes. In the HIPAA Final Rule (i.e., HIPAA Omnibus Rule), HHS clarified that business associates and their subcontractors may now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule and certain enumerated provisions of the Privacy and Breach Notification Rules. Therefore, the Office of Civil Rights may now enforce civil monetary penalties against covered entities, business associates, and subcontractors.
In the HIPAA Final Rule, HHS clarified the provisions for which business associates and subcontractors now face direct liability, including:
(1) impermissible uses and disclosures (45 CFR § 164.502(a)(3));
Business associates and subcontractors should carefully review their business associate agreements (and respective subcontractor agreements) to confirm that the terms align with the changes in the HIPAA Final Rule as well as the services being provided by such parties. Reviewing the agreements is particularly important for information technology vendors (e.g., data centers, IT technicians and other service providers, data destruction vendors, etc.) providing services to healthcare providers, health plans and other covered entities because the business associate agreement (or subcontractor agreement) may change the scope of some of the obligations.
For example, with respect to the requirement to provide "access to a copy of electronic PHI to either the covered entity, the individual, or the individual's designee," HHS stated:
Depending on the services being provided, many IT vendors will not generally have direct interaction with the patient or individual and may not routinely interact with the PHI (or at least interact with it in a manner that such vendor would be best suited to provide the patient with access). As such, given that BAs and Subcontractors now have direct liability, BAs and Subcontractors would be best served by ensuring that contract provisions accurately reflect the scope of services being provided, by strike language that would otherwise expand the scope of their liability.
The HIPAA Final Rule was published in the Federal Register on January 25, 2013 and is formally titled Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule
This FAQ post, and the information on this website, has been prepared for general information purposes only. The information on this website is not legal advice. Legal advice is dependent upon the specific circumstances of each situation and the jurisdiction of each state. The information contained here is not guaranteed to be up to date. Please consult legal counsel in your state to discuss your specific circumstances.