Are covered entities liable for the privacy violations of Business Associates?
No. A health care provider, health plan, or other Covered Entity is not liable for privacy violations of a Business Associate. Covered entities are not required to actively monitor or oversee the means by which their Business Associates abide by the requirements of their contracts. If a Covered Entity becomes aware of a pattern or practice of a Business Associate that constitutes a material breach or violation of the Business Associate s obligations under the Business Associate contract, the Covered Entity must take reasonable steps to cure the breach or to end the violation. Reasonable steps will vary with the circumstances. If steps to cure or end the violation are not successful, the Covered Entity must terminate the Business Associate contract, if feasible. In circumstances where termination is not feasible, such as where there are no other viable business alternatives for the Covered Entity, the Covered Entity must report the problem to HHS. Administrative Requirements 29. Will it
Related Questions
- Does HHS really expect all covered entities and business associates to amend their business associate contracts within 180 days of the new Rules going into effect?
- Why were the HIPAA Privacy standards for business associates and covered entities combined into one (1) accreditation?
- Is it reasonable for covered entities to be held liable for the privacy violations of business associates?
