On April 18, 2005, the Department of Health and Human Services (HHS) issued proposed regulations that clarify the liability of a covered entity (health care providers that transmit health information in electronic form, health plans and billing clearinghouses) for the HIPAA violations of its business associates.
The regulations provide that a covered entity is not liable for the actions of its business associate provided that:
1. The covered entity has a HIPAA-compliant contract with its business associate;
2. Upon discovery of a material breach or violation of the contract, the covered entity takes reasonable steps to cure the breach or end the violation;
3. The covered entity terminates the contract if the breach or violation cannot be successfully corrected; and
4. The covered entity reports the problem to HHS if termination is not feasible.