Medical privacy
This article was originally published in The Gray Sheet
Executive Summary
Covered entities will not be held liable for business associates' privacy violations, according to the first HHS guidance on the final medical privacy rule, released July 6. Upon learning of such violations, however, a covered entity must take "reasonable steps" to discontinue the violation, or terminate the business contract "if feasible." In cases where termination is not possible, the covered entity is instructed to report the violation to HHS, although the document does not specify what steps the department would take to bring a business associate into compliance