Is it reasonable for covered entities to be held liable for the privacy violations of business associates?
“A: A health care provider, health plan, or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the business associate carries out safeguards or the extent to which the business associate abides by the requirements of the contract. Moreover, a business associate’s violation of the terms of the contract does not, in and of itself, constitute a violation of the rule by the covered entity. The contract must obligate the business associate to advise the covered entity when violations have occurred. If the covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligations under its contract, the covered entity must take “reasonable steps” to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship. If such
Related Questions
- Does HHS really expect all covered entities and business associates to amend their business associate contracts within 180 days of the new Rules going into effect?
- Why were the HIPAA Privacy standards for business associates and covered entities combined into one (1) accreditation?
- Are covered entities liable for the privacy violations of Business Associates?