Business Associates are NOT Responsible for Clients ’ HIPAA Compliance, BUT They Still Might Be At-Risk

The following is a guest blog post by Mike Semel from Semel Consulting. “Am I responsible for my client’s HIPAA compliance?” “What if I tell my client to fix their compliance gaps, and they don’t? Am I liable?” “I told a client to replace the free cable Internet router with a real firewall to protect his medical practice, but the doctor just won’t spend the money. Can I get in trouble?” “We are a cloud service provider. Can we be blamed for what our clients do when using our platform?”  “I went to a conference and a speaker said that Business Associates were going to be held responsible for their clients’ compliance. Is this true???” I hear questions like these all the time from HIPAA Business Associates. The answers are No, No, No, No, and No. “A business associate is not liable, or required to monitor the activities of covered entities under HIPAA, but a BA has similar responsibilities as a covered entity with respect to any of its downstream subcontractors that are also BA’s,” said Deven McGraw, Deputy Director for Health Information Privacy, US Department of Health and Human Services Office for Civil Rights (OCR), Acting Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology. on August 17, 2017. So, while you aren’t responsible for your clients’ HIPAA compliance, what they do (or don’t do) still might cost you a lot, if you aren’t careful. In my book, How to Avoid HIPAA Headaches, ther...
Source: EMR and HIPAA - Category: Information Technology Authors: Tags: Healthcare HealthCare IT HIPAA General HIPAA Training HIPAA BA HIPAA Business Associates HIPAA Compliance Mike Semel Semel Consulting Source Type: blogs