HIPAA Technology and Clinical Research Guidance Library

1. What is a covered entity’s liability under the HIPAA Privacy Rule for sharing data inappropriately to or through a health information organization (HIO) or other electronic health information exchange network?

A covered entity that exchanges protected health information (PHI) to or through a HIO or otherwise participates in electronic health information exchange is responsible for its own non-compliance with the Privacy Rule, and for violations by its workforce. A covered entity is not directly liable for a violation of the Privacy Rule by a HIO acting as its business associate, if an appropriate business associate agreement is in place. Nor can a HIO as a business associate be held liable for civil money penalties arising from violations of the Privacy Rule. Rather, where a business associate agreement exists between a covered entity and a HIO for the electronic exchange of PHI, the HIO will be contractually obligated to adequately safeguard the PHI and to report noncompliance with the agreement terms to the covered entity, and the covered entity will be held accountable for taking appropriate action to cure known noncompliance by the business associate, and if unable to do so, to terminate the business associate relationship. See 45 C.F.R. §§ 164.502(e), 164.504(e). Furthermore, a covered entity is not liable for a disclosure that is based on the non-compliance of another entity within the health information exchange, as long as the covered entity has complied with the Privacy Rule.

2. Does the HIPAA Privacy Rule require a covered entity to “police” a health information organization (HIO), which functions as its business associate?

No. As with other business associates, the Privacy Rule would require that a covered entity enter into a relationship with a HIO in a way which anticipates and reasonably safeguards against the potential for inappropriate uses and disclosures, specifically through the use of a business associate agreement. The Privacy Rule also would require the covered entity to respond appropriately to complaints and evidence of violations, but it would not otherwise require the covered entity to actively monitor or oversee the extent to which a HIO, acting as its business associate, abides by the privacy provisions of the agreement, or the means by which the HIO carries out its privacy safeguard obligations. See 45 C.F.R. §§ 164.502(e), 164.504(e). 

3. How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

• investigation of any complaint received, as well as of other information containing credible evidence of a violation;
• reasonable steps to cure/end any material breaches or violations it becomes aware of;
• termination of the agreement where attempts to cure a material breach are unsuccessful; and
• in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e)

4. Who is liable under the HIPAA Privacy Rule where multiple covered entities have signed on to a single business associate agreement and one member breaches the agreement?

The Privacy Rule is flexible enough to allow multiple covered entities to exchange information with each other in an electronically networked environment upon entering into a single, multi-party business associate agreement. Regardless of the number of signatories, the obligations in a multi-party business associate agreement will be largely bi-directional. Covered entities will still be accountable for the actions of their workforce, as well as the contents and enforcement of its business associate agreement with the health information organization (HIO). See 45 C.F.R. §§ 164.530(b),(e) and 164.504(e). Covered entities will not be liable, however, for the violations of other participants in the HIO’s health information exchange. 

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.

This information was sourced from HIPAA FAQs for Professionals.