Mid-Atlantic Health Law TOPICS

Hero Image for page

Liability for Business Associate's HIPAA Violation

On April 18, 2005, the Department of Health and Human Services (HHS) issued proposed regulations that clarify the liability of a covered entity (health care providers that transmit health information in electronic form, health plans and billing clearinghouses) for the HIPAA violations of its business associates.
The regulations provide that a covered entity is not liable for the actions of its business associate provided that:
1. The covered entity has a HIPAA-compliant contract with its business associate;
2. Upon discovery of a material breach or violation of the contract, the covered entity takes reasonable steps to cure the breach or end the violation;
3. The covered entity terminates the contract if the breach or violation cannot be successfully corrected; and
4. The covered entity reports the problem to HHS if termination is not feasible.