Skip Navigation

Business Associates Could Be Responsible to Pay for Breaches

Bookmark and Share

February 4, 2010- Business Associates can be directly liable for a breach of unsecure protected health information (PHI) and could have to pay the Office of Civil Rights (OCR) directly, according to comments by Sue McAndrew, deputy director for Health Information Privacy for the agency. The comment was made at the 18th Annual National HIPAA Summit last week. 

"Business Associates going forward will be directly liable for violations that occur in their possession," McAndrew said. 

McAndrew also released breach numbers for January, 2010, indicating there have been 35 reports of breaches affecting 500-plus individuals, resulting in 712,000 notices.  There were more than 300 reports of smaller breaches. 

Full Article