In a development that may – understandably – have been overlooked by many heading into Memorial Day weekend, on May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Fact Sheet on Direct Liability of Business Associates under the Health Insurance Portability and Accountability Act (HIPAA).

The Fact Sheet provides an important reminder to covered entities, business associates, and their counselors regarding the circumstances in which OCR may – and may not – take enforcement actions directly against business associates for violations of HIPAA regulations. In the Fact Sheet, OCR explains that in 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates “directly liable for compliance with certain requirements” under HIPAA’s regulations, as addressed by OCR in its 2013 Omnibus Rule.Continue Reading OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations