The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates (BA), and provides that if a BA violates any HIPAA provision that is now directly applicable to it, the BA is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH. Under the revised HIPAA regulations, BA’s are now directly liable for:
1) Impermissible uses or disclosures of PHI
2) Failure to provide appropriate access to electronic copy of PHI to a Covered Entity (CE), individual, or individual’s representative
3) Failure to provide proper breach notification to a CE
4) Failure to disclose PHI when required by HHS to investigate the BA’s compliance with HIPAA
5) Failure to comply with the applicable requirements of the Security Rule
Perhaps most significantly, the Final Rule provides that if a BA violates a provision of a BA Agreement, that contractual violation is now a HIPAA violation. The Final Rule also states that BA’s must comply with HIPAA “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure,or request.
Taken in part from: Miller and Martin, PLLC 3/8/2013