Ever since the implementation of the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule by the Department of Health and Human Services, HIPAA covered entities’ business associates can be directly charged in case of HIPAA Rules violations.
The HHS’ Office for Civil Rights further explained on May 24, 2019 which HIPAA violations can result to a financial penalty charged against a business associate.
Business associates of HIPAA covered entities will only get penalized for failing in the HIPAA Rules requirements and prohibitions specified below. OCR is not authorized to issue financial fines to business associates for the HIPAA noncompliance not included in the list.
- Not giving records and compliance reports to the Secretary; not cooperating with the investigations of complaints or compliance reviews; and not giving the Secretary access to information, which includes protected health information, necessary for determining compliance.
- Retaliating against any person for filing a HIPAA complaint, taking part in investigations or opposing unlawful practices under the HIPAA Rules.
- Not complying with the Security Rule requirements.
- Not notifying a covered entity or business associate about a breach
- PHI impermissible use or disclosure
- Not disclosing an electronic PHI (ePHI) copy to the covered entity, the individual or a designee specified in the business associate agreement in satisfaction of a covered entity’s obligations concerning the form and format and the time and way of access.
- Not exerting reasonable efforts to restrict the use, disclosure or request of PHI to the minimum required to fulfill the intended purpose.
- Not providing an accounting of disclosures in some instances.
- Not entering into a business associate agreement with subcontractors that create or access PHI and fail to comply with BAA requirements.
- Not taking action on addressing a physical breach or violation of the BAA by a subcontractor.
The HHS Fact Sheet about the direct liability of business associates can be downloaded here.
Penalties for HIPAA Violations by Business Associates
The HITECH Act required a higher financial penalties to those not complying with the HIPAA Rules. In 2009, the HHS established that the terms of the HITECH Act required a $1.5 million maximum financial penalty for violating the same provision in one year. The maximum penalty amount was implemented in all four penalty tiers, irrespective of the degree of culpability.
Upon reviewing the terms of the HITECH Act in 2019, the HHS saw that the penalty requirements was interpreted in different ways. The $1.5 million maximum penalty was maintained for the highest penalty tier. However, in the other penalty tiers, HHS reduced the maximum possible penalty to match the level of culpability as follows:
Tier 1 – $100 to $50,000 fine per violation; $25,000 maximum fine per year
Tier 2 – $1,000 to $50,000 fine per violation; $100,000 maximum fine per year
Tier 3 – $10,000 to $50,000 fine per violation; $250,000 maximum fine per year
Tier 4 – $50,000 fine per violation; $1.5 million maximum fine per year