Photo of William P. Keefer

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act, imposed direct liability on business associates for certain violations of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”). The resulting 2013 HHS Office for Civil Rights (OCR) final rule modified the HIPAA Rules accordingly. In May of this year, OCR posted guidance on the HHS website reiterating the parameters of business associate liability, as follows:
Continue Reading