The U.S. Department of Health and Human Services' Office for Civil Rights last week reminded business associates of healthcare providers and plans that they can be held liable for violations of the Health Insurance Portability and Accountability Act (HIPAA) rules.

In a fact sheet it updated on Friday, the OCR reiterated the provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.

According to the OCR, business associates can only be held liable for HIPAA violations in the following conditions:

1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.

2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

3. Failure to comply with the requirements of the Security Rule.

4. Failure to provide breach notification to a covered entity or another business associate.

5. Impermissible uses and disclosures of PHI.

6. Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.

7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

8. Failure, in certain circumstances, to provide an accounting of disclosures.

9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

As the HITECH Act and the OCR's 2013 final rule stipulates, the OCR has authority to take enforcement action against business associates as long as one of these requirements and prohibitions of the HIPAA Rules is violated. The final rule to modify HIPAA went into effect on March 26 that year; covered entities were supposed to comply with its requirements six months later, on September 23.

It’s important to remember there is a difference between covered entities and business associates.

Covered entities, to which of course the HIPAA rules apply to, are defined as health plans, health clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards.

A business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity.

It's the second time this year that the OCR has clarified how lliability under the HIPAA Rules can be interpreted. In April, it described how HIPAA pertains to covered entities when it comes to disclosing electronic protected health information to third-party apps and APIs.