Practice tip of the week: Times you can be held liable for a business associate’s HIPAA breach

lightbulb doodle © Matias - stock.adobe.com

With all the useful information available on Physicians Practice, it is easy to become overwhelmed.

With this in mind, the tip of the week is a chance to reflect on some of the wisdom found all across the site. In the April 2021 slideshow on times you can be held liable for a business associate’s HIPAA breach, P.J. Cloud-Moulds writes the following:

The provider, and in certain situations its business associate, have direct liability under HIPAA, meaning that should either party breach certain aspects of the HIPAA Rules, the HHS Office for Civil Rights (OCR) may bring an enforcement action directly against that party. Recently, the OCR issued a fact sheet that specifically identifies the only situations where a business associate has direct liability under HIPAA.

Those 10 situations are:

1). Failure to provide the secretary of HHS with records and compliance reports.

2). Taking any retaliatory against any individual or other person filing a HIPAA complaint.

3). Failure to comply with the requirements of the Security Rule.

4). Failure to provide breach notification to a covered entity or another business associate.

5). Impermissible uses and disclosures of PHI.

Click here to read the rest of the article and be sure to check back next week for another Tip of the Week!