Ten Commandments for Business Associates

May 31, 2019

While they were not stricken in stone tablets, they came in the 2019 version; an edict from OCR

Here they are::

  1. Failure to comply with the requirements of the HIPAA Security Rule, e.g., performing a risk assessment or implementing the required administrative, physical and technical safeguards.

  2. Failure to enter business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.

  3. Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.
    Impermissible use or disclosure of PHI, including a use or disclosure that is not permitted under the business associate agreement.

  4. Failure to make reasonable efforts to limit the request, use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

  5. Failure to disclose a copy of electronic PHI to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) as necessary to enable the covered entity to comply with the patient’s right of access.

  6. Failure to provide an accounting of disclosures as necessary to enable the covered entity to comply with its obligations to provide such an accounting when requested.

  7. Failure to notify the covered entity or another business associate of a breach of PHI as required by the breach notification rule.
    Retaliating against others for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

  8. Failure to provide HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by HHS to information, including protected health information, pertinent to determining compliance.

  9. Retaliating against others for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.

  10. Failure to provide HHS with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by HHS to information, including protected health information, pertinent to determining compliance.


Back to News