OCR paying more attention to HIPAA business associates

The HHS Office for Civil Rights (OCR) is reminding entities classified as business associates (BAs) under the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) that they must allow covered entities (CEs) to access protected health information (PHI) the BAs maintain on the CEs’ behalf. In a recent frequently asked question (FAQ), the OCR advised BAs—defined as persons or entities that perform certain functions or activities that involve the use or disclosure of PHI on behalf of, or provide services to, a CE—of their obligations to utilize PHI in compliance with the HIPAA Privacy and Security Rules, and in accordance with their BA agreements (BAAs). Its issuance of the FAQ is further evidence of the OCR’s increased focus on BA compliance.  For example, the agency has entered into several resolution agreements in 2016 relating to BAs and BAAs, and planned to begin HIPAA audits of BAs in late September.


BAs cannot block CEs’ access to PHI in any manner or to accomplish any purpose that would violate the Privacy Rule. For example, activating a kill switch in electronic health record software developed by the BA in order to make the PHI inaccessible until the CE issues payment to the BA would be a violation.  BAs are required to return PHI to CEs, as provided for in their BAAs, in the event of termination of the agreement. BAs must also provide PHI to a CE where it is necessary to fulfill the CE’s duty to provide individuals with access to their PHI.

BAs must also ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) pursuant to the Security Rule. Therefore, a BA cannot deny access to a CE.  Furthermore, if a BAA is terminated, the BA must return the PHI in a format that is “reasonable in light of the agreement” in order to maintain accessibility.

Resolution agreements

Prior to 2016, the OCR had not entered into more than six resolution agreements with CEs or BAs in an entire year.  As of September 2016, the OCR had entered into 10 agreements, four of which involved BAs, directly or indirectly.

  • North Memorial Health Care. A health care system failed to enter into a BAA with a major contractor that performed certain payment and health care operations activities on its behalf; it also failed to complete a risk analysis.  The system paid $1.55 million to resolve the dispute.
  • Raleigh Orthopaedic Clinic, P.A. An orthopedic clinic handed over the PHI of nearly 17,300 patients to an x-ray transfer company with which it considered doing business without first executing a BAA.   The clinic paid $750,000.
  • Catholic Health Care Services of the Archdiocese of Philadelphia. A BA provided management and information technology services to six skilled nursing facilities (SNFs) whose mobile phone containing unencrypted PHI was stolen.  The BA resolved the dispute for $650,000.
  • Care New England Health System. A health system that provided a hospital with technical support and information security failed to update its BAA agreements.  (For further information, see Health Law Daily, Business associates in hot water over breaches and bad agreements, September 26, 2016.)


The OCR is taking incremental steps to hold BAs accountable for HIPAA compliance. From FAQs to resolution agreements to audits, the agency has put BAs on notice that they will be held accountable for violations.

ONC blog series tries to bust HIPAA information-sharing myths

The Office of the National Coordinator for Health Information Technology (ONC) is trying to shake the Health Insurance Portability and Accountability Act’s (HIPAA’s) (P.L. 104-91) image as a roadblock to information-sharing. In a four-part blog series, Chief Privacy Officer Lucia Savage, J.D., and Privacy Analyst Aja Brooks, J.D. described HIPAA’s promotion of interoperability through permitted uses and disclosures that do not require covered entities (CEs) to first obtain written authorization from the patient.  The posts provided real-life examples of permitted uses and disclosure involved in exchanges for both treatment and health care operations.


If an individual authorizes a release of protected health information (PHI) in writing, including when she requests that the PHI be sent directly to a third party, a CE or business associate (BA) must generally comply.  However, CEs and BAs are often uncomfortable releasing PHI when such authorization has not been given.  The blogs emphasize that HIPAA provides for the release of PHI for treatment and health care operations of either the disclosing CE or the recipient CE (45 CFR 164.506(c)). Treatment is defined pursuant to 45 C.F.R. 164.501 and includes, in addition to traditional treatment, referrals, coordination of health care services with a third party, and consultation between providers. A disclosing provider is responsible for disclosing the information in a  permitted and secure manner, such as via certified electronic health record technology (CEHRT), but will not be liable for any actions that the recipient takes with that information.

Health care operations

Covered entities may also disclose information to other CEs or their respective BAs without authorization in certain circumstances related to health care operations, including those involving case management and quality assessment and improvement.  In all instances, both CEs involved in the exchange must have an existing or previous relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing CE must release only the minimum necessary information.  For example, a physician may disclose minimum necessary PHI related to diabetic and pre-diabetic patients to a health management company that is a BA of a health plan (CE) so that the health management company can, at the health plan’s request, provide semi-monthly nutritional advice to members. The ONC also indicated that providers who are part of an accountable care organization (ACO) and operate as an organized health care arrangement (OHCA) may provide PHI to the ACO’s quality committee for quality assessment purposes if, for example, the ACO is looking to improve its rate of hospital-acquired infections.  Similarly, a provider may provide PHI about a current patient to the patient’s former provider if the former provider needs that information for quality assessment.

HIPAA: a tool for sharing?

The blog authors explained that HIPAA is not only a tool to protect PHI, but can be used to enable access to that same information when necessary for patient care. They hoped that the posts “shed some light on how HIPAA supports the goal of nationwide, interoperable exchange of health information for patient care and health.”  Perhaps wary providers will take note.