The HITECH Act and Business Associates: Understanding Your Direct Liability for HIPAA Violations (42 U.S.C. § 17931)

Since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, business associates have become directly liable for certain violations of the HIPAA Privacy and Security Rules. Under 42 U.S.C. § 17931, business associates are no longer shielded by covered entities but are subject to direct enforcement by the U.S. Department of Health and Human Services (HHS). This article outlines what small healthcare practices need to understand about business associate relationships, liability exposure, and the steps required to ensure compliance in an era of expanding digital health infrastructure and data sharing.

What Is a Business Associate?

A business associate is any person or entity outside a covered entity’s workforce that performs services involving the use or disclosure of Protected Health Information (PHI) on behalf of a covered entity. Common examples include:

• Medical billing companies

• IT providers who maintain or access ePHI

• Cloud storage vendors

• Medical transcription services

• Third-party administrators (TPAs)

Under HIPAA, business associates must enter into a Business Associate Agreement (BAA) with covered entities. However, after HITECH, the BAA is no longer a shield from enforcement, it is a shared obligation.

Section 13401 of the HITECH Act (codified at 42 U.S.C. § 17931) states:

“Each business associate of a covered entity that obtains or creates protected health information pursuant to a written contract… shall be subject to the same security provisions… and civil and criminal penalties as a covered entity.”

This provision extends the Security Rule and certain provisions of the Privacy Rule directly to business associates and opens the door to enforcement actions by the HHS Office for Civil Rights (OCR), including:

• Civil monetary penalties

• Mandatory audits

• Corrective action plans

Business associates are directly liable under HIPAA and the HITECH Act for the following:

Business associates are also responsible for ensuring any subcontractors that handle PHI on their behalf comply with these same requirements.

Direct Liability vs. Contractual Liability

Direct Liability (Under HITECH and HIPAA)

Business associates can now be investigated and penalized by OCR independently of the covered entity. This includes:

• Failing to conduct risk assessments

• Failing to implement safeguards for ePHI

• Unauthorized uses or disclosures of PHI

• Failing to report a breach to the covered entity

Contractual Liability (BAA Violations)

While BAAs govern the terms of the relationship, they do not replace federal compliance obligations. Covered entities can sue business associates for breach of contract, but OCR can impose civil penalties separately.

Even though the HITECH Act imposes direct liability, covered entities must still execute written BAAs with all business associates. The BAA should:

• Clearly define permissible uses and disclosures

• Require implementation of security safeguards

• Mandate breach reporting procedures

• Require subcontractor compliance down the chain

Failure to have a valid BAA in place may itself be considered a HIPAA violation, exposing both parties to regulatory penalties.

In 2020, the OCR settled a case with a business associate of a North Carolina-based health system after the associate's employee stole and sold patient information. The business associate had no formal risk analysis or breach response procedures in place. OCR found that the associate violated the Security Rule and failed to notify the covered entity in a timely manner.

The result:

• A $2.3 million financial settlement

• Mandatory implementation of a corrective action plan

• Three years of compliance monitoring

Lessons Learned:

• Small vendors and service providers are not exempt

• Lack of documentation and controls can escalate risk significantly

• Delayed breach reporting compounds violations

For Covered Entities

For Business Associates

Key Takeaways for Small Practices

• Business associates are legally accountable under federal law for safeguarding PHI, not just contractually obligated.

• Covered entities must vet and monitor their business associates continuously, not just at onboarding.

• Business associates must self-govern and build a compliance framework that includes training, risk analysis, breach response, and subcontractor oversight.

• Both parties share liability for certain violations. Ignorance, size, or low volume of PHI handled is not a defense.
  

Pitfall 1: Believing a Signed BAA Provides Full Protection
One of the most frequent mistakes is assuming that simply having a Business Associate Agreement (BAA) in place fully protects a business associate (BA) from liability. In reality, since the HITECH Act, business associates are directly accountable under HIPAA. A BAA is a requirement, but it does not act as a shield against enforcement actions or penalties.

How to avoid it: Understand that a BAA is only the foundation of your HIPAA compliance obligations. Implement additional safeguards such as access controls, encryption, breach response protocols, and staff training. These protections must go beyond what's written in the agreement.

Pitfall 2: Failing to Conduct a Risk Analysis
OCR enforcement actions often highlight the failure of business associates to perform a proper risk analysis. Many small vendors believe this is only required for covered entities, but HIPAA’s Security Rule explicitly applies to business associates as well.

How to avoid it: Conduct a comprehensive risk analysis at least annually or whenever major changes occur in your technology, operations, or workforce. Document the process, the findings, and the steps taken to mitigate each identified risk.

Pitfall 3: Delayed Breach Reporting
HIPAA requires business associates to report security incidents to covered entities without unreasonable delay. Some BAs underestimate what qualifies as a reportable breach or simply lack a process for reporting, which can result in delayed notifications and steeper penalties.

How to avoid it: Establish an internal reporting protocol that includes timelines (e.g., within 10 days of discovering the incident) to ensure timely disclosure to your covered entity partner. Train staff to recognize and escalate potential breaches immediately.

Pitfall 4: Using Subcontractors Without HIPAA-Compliant Agreements
A major compliance blind spot is engaging subcontractors to handle PHI without ensuring they sign their own BAAs and follow HIPAA requirements. Business associates are responsible for the actions of their downstream vendors.

How to avoid it: Never allow a subcontractor to access PHI until they’ve signed a compliant BAA. Request evidence of their security practices, and confirm that they’re aware of their legal responsibilities under HIPAA.

Pitfall 5: Neglecting Workforce Training and Oversight
Many business associates assume their limited size or technical role means they don’t need HIPAA training. But even small vendors or IT consultants must ensure that employees understand the rules and risks.

How to avoid it: Provide HIPAA training tailored to your workforce’s role, even if it’s a small team. Document attendance, refresh training yearly, and update it when regulations or policies change.

1. HHS - Business Associate Responsibilities under HIPAA

2. HHS - Risk Analysis Requirements (Security Rule Guidance)

3. HHS - Breach Notification Rule for Business Associates
   

HITECH's expansion of liability to business associates represents a permanent and fundamental shift in the HIPAA compliance landscape. Small practices must view third-party compliance as part of their own risk exposure and operational oversight. Equally, small business associates must understand that they are accountable to federal regulators, not just their clients.

Next Steps:

1. Review and update all BAAs to reflect current business relationships and responsibilities.

2. Conduct a gap analysis of your organization’s or vendor’s compliance with the HIPAA Security Rule.

3. Confirm that all subcontractors are HIPAA-compliant and have signed appropriate downstream BAAs.

4. Familiarize yourself with HHS guidance on business associate responsibilities:
   https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html