What Everyone Ought To Know About Business Associate Liabilities

Recently there was a report of hundreds of patient medical records found dumped along the side of a road in South Fulton County, Georgia. It appears that the records were placed in storage after a fire at Hope Medical and that there were unpaid storage fees, resulting in the inappropriate disposal of the records containing personally identifiable information.

Is the Storage Facility responsible for safeguarding of the clinic’s patients’ medical records? Most legislation does not give clear guidance or details regarding the storage of medical records. It does make clear that a covered entity holds the ultimate responsibility of safeguarding the personal health information (PHI) of their patients.

When considering off site storage, it would be prudent to consider the storage unit as an extension of your facility. Does your facility have security cameras and alarms? Is your facility climate controlled? These are just a couple of items to check off in understanding the safeguarding your patients’ medical records.

Whether a business associate is responsible for a data breach, the HHS and OCR has created the following guidance and was given authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below.

Business associates are directly liable for HIPAA violations as follows:

1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.

2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

3. Failure to comply with the requirements of the Security Rule.

4. Failure to provide breach notification to a covered entity or another business associate.

5. Impermissible uses and disclosures of PHI.

6. Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.

7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

8. Failure, in certain circumstances, to provide an accounting of disclosures.

9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

Covered entities should address these possible HIPAA violations in their Business Associate Agreements and their Annual Business Associate Risk Assessments.

Are you unsure how to handle your Business Associates and their Agreements?

Dsyfer has an automated system which manages your organizations Business Associate Agreements and Business Associate Risk Assessments, at intervals you choose for your program.

Dsyfer can help. For more information, call a Dsyfer client service member at 480.779.4653 or email info@sybersafe.com.