Direct Liability of Business Associates for HIPAA Noncompliance

Direct Liability of Business Associates for HIPAA Noncompliance

Published: September 3rd, 2019

According to the Department of Health and Human Services (HHS), business associates of HIPAA covered entities may be held liable for noncompliance of certain HIPAA rules and requirements. HHS has provided the following list of HIPAA violations that business associates can be held fully liable.

  • Failure to provide the Secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the Secretary to information, including protected health information (PHI), pertinent to determining compliance.
  • Taking any retaliatory action against any individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
  • Failure to comply with the requirements of the Security Rule.
  • Failure to provide breach notification to a covered entity or another business associate.
  • Impermissible uses and disclosures of PHI.
  • Failure to disclose a copy of electronic PHI (ePHI) to either the covered entity, the individual, or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity’s obligations regarding the form and format, and the time and manner of access under 45 C.F.R. §§ 164.524(c)(2)(ii) and 3(ii), respectively.
  • Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  • Failure, in certain circumstances, to provide an accounting of disclosures.
  • Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  • Failure to take reasonable steps to address a material breach or violation of the subcontractor’s business associate agreement.

Penalties for HIPAA Violations by Business Associates

HHS will be using the following penalty structure detailed below for HIPAA Violations by Business Associates:

  • Tier 1 ($100-$50,000 per violation. Maximum $25,000 per year) - Unaware of the HIPAA violation and by exercising reasonable due diligence would not have known HIPAA rules had been violated.  
  • Tier 2 ($1,000 -$50,000 per violation. Maximum $100,000 per year) - Reasonable cause that the covered entity knew about or should have known about the violation by exercising reasonable due diligence.
  • Tier 3 ($10,000-$50,000 per violation. Maximum $250,000 per year) - Willful neglect of HIPAA rules with the violation corrected within 30 days of discovery.
  • Tier 4 ($50,000 per violation. Maximum $1.5 million per year) - Willful neglect of HIPAA rules and no effort made to correct the violation within 30 days of discovery.



For further questions regarding HIPAA requirements for business associates, contact the experts at MedSafe for a free consultation. MedSafe is the nation's leading one-stop resource for outsourced safety and health compliance solutions in healthcare.

Toll-free: (888) MED-SAFE




Get Weekly Updates

* indicates required