New HIPAA Fact Sheet for Business Associates

On May 24, the HHS Office for Civil Rights (OCR) released a new fact sheet for Business Associates explaining their liability for HIPAA compliance. OCR is the government enforcement agency for HIPAA compliance. They have the authority to take enforcement action against business associates for failing to comply with requirements and prohibitions.

Since the implementation of the Omnibus Final Rule in 2013, the HITECH Act extending HIPPA rules to business associates, there has been confusion from the public. HIPAA applies directly to health providers, health plans and clearinghouses, but if you are a vendor that interacts with these organizations and you are provided or are allowed to access protected health information, these rules apply to you.

In the announcement statement, OCR Director Roger said, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” Here then is a high-level summary of the 10 provisions for actionable non-compliance.


  1. Failure to provide records and compliance reports
  2. Take retaliatory action against someone filing a HIPAA complaint
  3. Failure to comply with the requirements of the Security Rule.
  4. Failure to provide breach notification
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose ePHI to the covered entity or the individual as required
  7. Failure to make reasonable efforts to limit PHI exposure
  8. Failure to provide an accounting of disclosures.
  9. Failure to set up BA agreements with subcontractors


To read the full list which includes footnotes and citations:

If you have any concerns about compliance, the TMC HIPAA Compliance Programs are a fast and easy way to keep your practice HIPAA compliant. As always, we’re here to answer any and all HIPAA compliance questions when you contact your TMC representative, or call our Customer Service Center at (888) 862-6742.