Do Recent HHS statements indicate a change from OCR?

By Mary Buckley

September 3, 2018

Statements made during a recent lawsuit raise questions about the Department of Health and Human Services’ (HHS) intended enforcement oversight of business associates.  Are the statements an indication that HHS is shifting its enforcement attitudes and practices away from business associates or a narrow response to a claim made the plaintiff? Only time will tell.

In an April 2018 motion to dismiss a suit filed by CIOX Health, LLC (a release of information contractor and business associate to many covered entities), HHS wrote that it “imposes no requirements or restrictions on business associates [concerning fees for access to and copies of protected health information (PHI)].”[i] The litigation underlying HHS’ surprising statements challenged the department’s 2013 rulemaking requiring providers to transmit all electronic patient data to a designated individual as well as 2016 OCR enforcement guidance limiting charges for medical records to a “reasonable, cost-based fee.”[ii] In response, HHS indicated that it does not regulate how much business associates charge for record requests, though it does prohibit covered entities from overcharging patients.[iii] HHS elaborated, “[b]ecause HHS has not and cannot take enforcement action against CIOX regarding the fees it charges for individual requests of [personal health information], CIOX cannot raise either an enforcement or pre-enforcement challenge to the Privacy Rule provision and guidance at issue.”[iv]

HHS’ statements may signal a shift, or at least a departure, from previous HHS actions related to oversight and enforcement activity of business associates. Not only are the Health Information Portability and Accountability Act (“HIPAA”) Privacy and Security Rules currently written to specifically apply to business associates, but the HHS Office for Civil Rights (“OCR”) has twice imposed fines and corrective action on business associates for noncompliance. Previously, OCR had focused its enforcement activity on the covered entity, despite violations on the part of the covered entity’s business associates.

Law as Written

HIPAA, as written, unambiguously and specifically applies to business associates. Section 13404(a) of the HITECH Act, which amended HIPAA, applies the rules governing covered entities “to business associates in the same manner as they apply to the providers and health plans for whom they are working.”[v] When HHS issued the HITECH final regulations in 2013, it declared that “any Privacy Rule limitation on how a covered entity may use or disclose [PHI] automatically extends to a business associate.”[vi]

Prior to the HITACH Act and rules, HHS only indirectly regulated business associates by imposing certain requirements on business associate agreements executed between covered entities and business associates. Specifically, HHS required that business associate agreements must “not authorize the business associate to use or further disclose [PHI] in a manner that would violate the requirements of [the Privacy Rule].”[vii] However, the HITECH Act and ensuing HITECH final rule changed the dynamic—extending many of the Privacy and Security Rule requirements directly to business associates.

Rates for medical record requests are set at the state level. A comprehensive list of permissible charges can be found here.

Previous Business Associate Enforcement Activity

Not only do many of the Privacy Rule requirements governing limitations on uses and disclosures of PHI made by covered entities also apply directly to business associates, but HHS has also acted to support this application by imposing fines and corrective action on business associates who do not comply with HIPAA. In 2016, Catholic Health Care Services (“CHCS”) of the Archdiocese of Philadelphia, a business associate to six skilled nursing facilities, providing management and information technology services[viii] , was required to pay a $650,000 fine and implement a corrective action plan after the theft of an unencrypted iPhone compromised the PHI of 412 nursing home residents.

HHS has more recently fined FileFax, Inc., another business associate, even after the company’s involuntary dissolution. FileFax, Inc., an Illinois medical records storage company, underwent an investigation after OCR received an anonymous tip alleging that the company brought medical records to a shredding facility but failed to dispose of said records properly, leaving the records containing the PHI of 2,150 individuals in an unlocked truck in its parking lot.[ix] OCR required FileFax to pay a $100,000 fine and take corrective action related to remaining medical records existing after the company’s dissolution.

Shift of HIPAA Enforcement Activity from Covered Entities to Business Associates

Though OCR has initiated direct HIPAA enforcement activity on business associates in recent years, this was not always the case. Prior to the publication of the HITECH Act and HITECH final rule, OCR placed primary responsibility for HIPAA compliance on covered entities, even if the business associate perpetuated the wrongdoing.

An example of this is the North Memorial Health 2016 resolution. OCR imposed a fine and corrective action plan against North Memorial (the covered entity) for noncompliant behavior related to one of its business associates.  North Memorial had failed to execute a business associate agreement with its business associate, a medical billing and revenue management company. Although North Memorial failed to comply with HIPAA when it did not execute the business associate agreement, the underlying breach leading to North Memorial’s corrective action plan occurred when an unencrypted laptop was stolen from a business associate workforce member’s vehicle. The breach affected 23,000 patients in total, 6,697 of which received care at North Memorial.[x]

The business associate was not the subject of any enforcement action on the part of OCR; however, it did settle with the Federal Trade Commission (“FTC”) and agree to a host of corrective action measures to improve its practices to protect consumers’ medical information.[xi] The business associate also settled with the Minnesota Attorney General and agreed to pay a $2.5 million fine for the HIPAA violations, as well as various Minnesota debt collection and consumer protection laws.[xii]

Implication of HHS’s Statement

It is unclear what the practical implication, if any, of the recent statements by HHS made during the CIOX litigation will mean for covered entities and business associates. Perhaps business associates worried about large fines associated with HIPAA violations involving fees for copies of records can breathe a sigh of relief.  More likely, the statement was only meant to apply narrowly to the case and facts at hand. Because the statements were puzzling and their impact uncertain, it is still important for covered entities and business associates to ensure that proper controls are in place for HIPAA compliance, including those controls involving fees charged for copying records. Just because OCR does not impose fines or corrective actions on a business associate does not mean the business associate will not pay for their HIPAA noncompliance in other ways (e.g., lost clients and damaged reputation).

OCR’s varying approaches to enforcement activity related to covered entities and business associates seems to signal that no matter who OCR chooses to pursue in an enforcement action, covered entities and business associates should make every effort to work together and independently to achieve HIPAA compliance. Specifically, covered entities and business associates should ensure that they maintain a comprehensive health information compliance program to ensure that HIPAA privacy and security controls are in place. In particular, policies and procedures as well as effective education and documentation of such can help to ensure that workforce members are adequately informed on their HIPAA and data privacy/security obligations. Keeping updated privacy and security policies as well as documentation of training on hand shows regulatory entities like HHS that the entity is committed to HIPAA compliance and has made good faith efforts to comply with the law in the event of a breach or other misconduct, whether intentional or unintentional.

[i] Sweeney, Evan. “HIPAA Lawsuit Raises Questions about HHS’ Oversight of Business Associates.” Fierce Healthcare, 9 May 2018, .

[ii] HHS Office of the Secretary, Health Information Privacy Division. “Individuals’ Right under HIPAA to Access Their Health Information.”, 25 Feb. 2016,

[iii] See 45 CFR 164.524(b)(2)-(4).

[v] H.R. CONF. REP. No. 111-16, at 493 (2009), reprinted in 2009 U.S.C.C.A.N. 3, 86 (explaining HITECH § 13404(a)).

[vi] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under [HITECH]— Final Rule, 78 Fed. Reg. 5566, 5597 (2013) (“2013 Omnibus Rule”).

[vii] 45 C.F.R. § 164.504(e).

[viii] HHS Office of the Secretary, Office for Civil Rights. “Business Associate’s Failure to Safeguard PHI Leads to Settlement.”, 29 June 2016, .

[ix] HHS Office of the Secretary, Office for Civil Rights. “HIPAA Consequences Don’t Stop When a Business Closes.”, 13 Feb. 2018, .

[x] HHS Office of the Secretary, Office for Civil Rights. “$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements.”, 16 March 2016,

[xi] McGee, Marianne Kolbasuk. “Accretive Health Breach: FTC Settlement.” Data Breach Today, 2 Jan. 2014, .

[xii] “Minnesota Attorney General Announces $2.5 Million Settlement with Accretive Health.” Privacy & Information Security Law Blog, Hunton Andrews Kurth LLP, 5 Apr. 2018, /.