Direct Liability of Business Associates

This guidance remains in effect only to the extent that it is consistent with the court's order in Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. January 23, 2020), which may be found at https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51. More information about the order is available at https://www.hhs.gov/hipaa/court-order-right-of-access/index.html. Any provision within this guidance that has been vacated by the Ciox Health decision is rescinded.

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act,1 making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.2  Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.3

As set forth in the HITECH Act and OCR’s 2013 final rule, OCR has authority to take enforcement action against business associates only for those requirements and prohibitions of the HIPAA Rules as set forth below.

Business associates are directly liable for HIPAA violations as follows: 

1. Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.4
2. Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.5
3. Failure to comply with the requirements of the Security Rule.6
4. Failure to provide breach notification to a covered entity or another business associate.7
5. Impermissible uses and disclosures of PHI.8
6. Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.9
7. Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.10
8. Failure, in certain circumstances, to provide an accounting of disclosures.11
9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.12
10. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.13

For example, where the business associate’s agreement with a covered entity requires it to provide an individual with an electronic copy of his or her ePHI upon the individual’s request and the business associate fails to do so, OCR has enforcement authority directly over the business associate for that failure. (See No. 6 above.)  

By contrast, OCR lacks the authority to enforce the “reasonable, cost-based fee” limitation in 45 C.F.R. § 164.524(c)(4) against business associates because the HITECH Act does not apply the fee limitation provision to business associates.  A covered entity that engages the services of a business associate to fulfill an individual’s request for access to their PHI is responsible for ensuring that, where applicable, no more than the reasonable, cost-based fee permitted under HIPAA is charged.  If the fee charged is in excess of the fee limitation, OCR can take enforcement action against only the covered entity.

• 1. The HITECH Act was enacted as title XIII of division A and title IV of division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5.
• 2. 78 FR 5566 (January 25, 2013).
• 3. See 78 FR 5566.
• 4. See 45 CFR §§ 160.310, 164.502(a)(4)(i).
• 5. See 45 CFR § 160.316.
• 6. See HITECH Act § 13401, 42 USC § 17931 (making 45 CFR §§ 164.308, 164.310, 164.312, and 164.316 directly applicable to business associates, as well as any other security provision that the HITECH Act made applicable to covered entities); 45 CFR §§ 164.306, 164.308, 164.310, 164.312, 164.314, 164.316.
• 7. See 45 CFR §§ 164.410, 164.412.
• 8. See 45 CFR § 164.502(a)(3).
• 9. See 45 CFR § 164.502(a)(4)(ii).
• 10. See 45 CFR § 164.502(b).
• 11. See HITECH Act § 13405(c)(3), 42 U.S.C. § 17935(c)(3) (“A business associate included on a list under subparagraph (b) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.”). OCR plans to issue rulemaking on the accounting of disclosures as required by HITECH Act § 13405(c)(2).
• 12. See 45 CFR §§ 164.502(e)(1)(ii), 164.504(e)(5).
• 13. See 45 C.F.R. § 164.504(e)(1)(iii) (“A business associate is not in compliance with the standards in §164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor's obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.”).