On May 24, 2019, the Office of Civil Rights (OCR) – the arm of the Department of Health and Human Services that enforces the Health Insurance Portability and Accountability Act (HIPAA) – issued a new fact sheet clarifying the specific instances in which a business associate can be found directly liable for violations of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (“HIPAA Rules”). As you may know, prior to the promulgation of the 2013 HIPAA Final Rule, liability of business associates could arise only under the terms of a business associate agreement.

In the wake of an historic, multi-state lawsuit filed against a “Business Associate” earlier this month, it is imperative that companies with business associate agreements (BAA) in place with health care/plan customers review internal data security policies and procedures to ensure they are in compliance with their obligations arising under HIPAA, state privacy laws and the BAAs.