Wilson Technology Group and More

Your One Stop IT and Telecommunications Firm

Application of HIPAA to Business Associates

Leave a comment

The Final Rule applies certain HIPAA privacy, security, and enforcement regulations directly to Business Associates (BA), and provides that if a BA violates any HIPAA provision that is now directly applicable to it, the BA is subject to all criminal and civil penalties under HIPAA, which were increased significantly under HITECH.  Under the revised HIPAA regulations, BA’s are now directly liable for:

1)  Impermissible uses or disclosures of PHI

2)  Failure to provide appropriate access to electronic copy of PHI to a Covered Entity (CE), individual, or individual’s representative

3)  Failure to provide proper breach notification to a CE

4)  Failure to disclose PHI when required by HHS to investigate the BA’s compliance with HIPAA

5)  Failure to comply with the applicable requirements of the Security Rule

Perhaps most significantly, the Final Rule provides that if a BA violates a provision of a BA Agreement, that contractual violation is now a HIPAA violation.  The Final Rule also states that BA’s must comply with HIPAA “minimum necessary” standard and only use, disclose, or request PHI from another entity if they limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure,or request.

Taken in part from:  Miller and Martin, PLLC   3/8/2013


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s