Violations by business associates

August 4, 2006

Can I be held responsible for a HIPAA violation committed by one of my business associates, like a CPA who isn't a member of my staff but with whom I share protected health information?

Q:Can I be held responsible for a HIPAA violation committed by one of my business associates, like a CPA who isn't a member of my staff but with whom I share protected health information?

A: Generally, no, provided you've complied with the business associate provisions of the HIPAA privacy and security rules. These rules require that you have a business associate agreement with people like CPAs and that you take reasonable steps to fix any HIPAA breach committed by them that you become aware of. If you fail to take these steps, the government can hold you liable.