HIPAA Violations: Who Is Liable—Covered Entities, Business Associates, and Staff

Liability for HIPAA violations is shared. Covered entities, business associates, and workforce members each carry distinct duties for protecting protected health information (PHI). Understanding where PHI disclosure liability attaches—and how agency scope liability works—helps you prevent breaches and respond effectively when they occur.

This guide explains who is accountable, what contracts must say, how subcontractors fit in, and how enforcement and civil monetary penalties are applied. It also clarifies HIPAA breach notification duties so you can act quickly and confidently.

Covered Entities' Liability

Scope of liability

Covered entities (health plans, clearinghouses, and most providers that transmit standard transactions) hold primary responsibility for HIPAA compliance. You must implement administrative, physical, and technical safeguards, document policies, train your workforce, and enforce sanctions. If a workforce member mishandles PHI, the organization typically bears PHI disclosure liability.

Liability extends to lapses such as inadequate risk analysis, missing audit controls, or failing to follow the minimum necessary standard. These are core workforce compliance obligations, and gaps often surface during investigations even when a single incident triggered the review.

HIPAA breach notification duties

When a breach of unsecured PHI is discovered, you must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For incidents affecting 500 or more residents of a state or jurisdiction, you must also notify prominent media. All breaches require notice to HHS under the HIPAA Breach Notification Rule, with timing tied to breach size.

Business associates must notify the covered entity of breaches they discover, providing details needed for your notices. Your incident response plan should define roles, escalation paths, and evidence collection to meet these deadlines.

Common pitfalls

• Misdirected mail, email, or faxes containing PHI without safeguards like verification or secure transmission.
• Unencrypted devices or cloud repositories lacking access controls and logging.
• Overbroad disclosures that ignore the minimum necessary standard or lack an authorization.
• Incomplete sanction policies or training that leaves staff unclear on expectations.

Business Associates' Liability

Direct liability and responsibilities

Business associates (BAs) create, receive, maintain, or transmit PHI for a covered entity. They are directly liable for compliance with the HIPAA Security Rule and key Privacy Rule provisions, not just for honoring contract promises. Your obligations include risk analysis, safeguards, workforce training, and restricting PHI uses and disclosures to what the contract and HIPAA permit.

Because BAs are first-line custodians of systems and data, OCR expects demonstrable security engineering discipline—access management, encryption, auditing, patching, and vendor oversight. Failure can lead to corrective action plans and civil monetary penalties applied to the BA itself.

Breach notification and cooperation

Upon discovering a breach of unsecured PHI, a BA must notify the covered entity without unreasonable delay and no later than 60 days after discovery. Provide the identities of affected individuals (if known), the nature of the incident, the data elements involved, and steps taken to mitigate harm so the covered entity can meet HIPAA breach notification requirements.

Enforcement trends for BAs

OCR’s enforcement increasingly targets service providers—IT vendors, billing firms, and cloud operators—when basic safeguards are absent or Business Associate Agreements are deficient. Expect scrutiny of your audit trails, incident response records, and subcontractor management as part of covered entity enforcement actions.

Staff Member Accountability

Workforce obligations and sanctions

Workforce includes employees, volunteers, and trainees of covered entities and business associates. You must follow policies, complete training, use only authorized systems, and apply minimum necessary access. Employers must maintain and enforce disciplinary standards; sanctions can range from retraining to termination.

OCR generally pursues organizations, not individual employees, for civil violations. However, repeated or reckless conduct by staff can elevate organizational exposure and trigger stiffer corrective action. Workforce compliance obligations also intersect with licensing boards, which may impose professional discipline for privacy breaches.

Criminal exposure for individuals

Individuals can face criminal penalties for knowingly obtaining or disclosing PHI in violation of HIPAA, especially for snooping, selling data, identity theft, or malicious misuse. Cases are referred to the Department of Justice; penalties scale with intent, financial gain, and resulting harm.

Agency Relationship Implications

When agency makes you liable

Under HIPAA’s vicarious liability rules, a covered entity or business associate can be liable for acts of its agents performed within the scope of agency. Whether a business associate is an “agent” turns on the right-to-control test, not job titles or contract labels. This is the crux of agency scope liability.

If a BA acts as your agent and exposes PHI, OCR may treat the principal as responsible—even if the BA violated instructions—when the conduct falls within the agent’s assigned functions. Clear scoping, documented instructions, and ongoing oversight help limit that exposure.

Practical steps to manage agency risk

• Define precise permitted uses and disclosures and decision rights in the contract and runbooks.
• Retain the right to direct performance, require approvals for higher-risk actions, and audit regularly.
• Track delegated functions, escalate exceptions, and document corrective actions promptly.
• Ensure your vendor governance program tests security controls, not just policy language.

Business Associate Agreement Requirements

Required clauses to include

• Permitted uses and disclosures of PHI, including minimum necessary and any de-identification limits.
• Security safeguards across administrative, physical, and technical domains, plus risk analysis duties.
• Incident and HIPAA breach notification timelines, content, and cooperation requirements.
• Subcontractor flow-down: require business associate agreements with any subcontractor handling PHI.
• Support for individual rights (access, amendments, accounting of disclosures) and record retention.
• HHS access to records related to compliance.
• Return or destruction of PHI at termination and the right to terminate for material breach.

Risk allocation and operationalization

Strong Business Associate Agreements combine clear obligations with practical controls: encryption mandates, audit logging, change management, and third-party security attestations. Indemnity, cyber insurance, and liability caps align incentives, but they do not replace demonstrable compliance. Align procurement, IT, and privacy teams so contract promises map to deployed controls.

Subcontractor Compliance Responsibility

Who qualifies and what is required

A subcontractor that creates, receives, maintains, or transmits PHI on behalf of a BA is itself a business associate and directly subject to HIPAA. The BA must ensure the subcontractor signs a business associate agreement with equivalent protections and honors all applicable security and privacy requirements.

Oversight and flow-down controls

• Maintain an inventory of subcontractors and data flows; restrict PHI to minimum necessary.
• Perform risk-based due diligence and require evidence of security controls and training.
• Set incident reporting timelines that let you meet overall HIPAA breach notification deadlines.
• Conduct periodic audits or attestations and enforce corrective action when gaps surface.

Enforcement and Penalty Framework

OCR investigations and resolution

OCR enforces HIPAA through complaints, breach reports, and audits. Outcomes range from technical assistance and voluntary corrective action to resolution agreements with multi-year monitoring. Covered entity enforcement and BA scrutiny often focus on governance evidence: policies, training logs, risk analyses, and remediation records.

Civil monetary penalties and aggravating factors

Civil monetary penalties scale by the level of culpability—from lack of knowledge despite reasonable diligence to willful neglect not corrected. OCR considers factors such as the number of individuals affected, duration, harm, prior history, and post-incident cooperation. Strong documentation of safeguards and swift mitigation materially reduces exposure.

State and criminal enforcement

State Attorneys General can bring civil actions for HIPAA violations and related state privacy laws, sometimes coordinating with OCR. The Department of Justice handles criminal cases involving intentional misuse of PHI, identity theft, or fraud schemes. Parallel administrative, civil, and criminal pathways may proceed from a single incident.

Conclusion

HIPAA liability is shared: covered entities set the guardrails, business associates must operationalize strong controls, and staff execute daily practices that keep PHI safe. Clear contracts, disciplined oversight of agency relationships, and timely HIPAA breach notification reduce risk—and demonstrate accountability when regulators ask how you protected patients’ privacy.

FAQs

Who can be held liable for a HIPAA violation?

Covered entities and business associates can be directly liable for civil violations, and workforce members’ actions can expose their organizations. Individuals may also face criminal liability for knowingly obtaining or disclosing PHI in violation of HIPAA.

What is the role of business associates in HIPAA compliance?

Business associates must implement HIPAA-required safeguards, limit PHI uses and disclosures to what the contract and law allow, report incidents promptly, and ensure subcontractors sign compliant agreements. They are directly subject to enforcement for violations.

Can staff members be individually punished for HIPAA breaches?

Yes. Employers can impose sanctions under internal policies, and professional boards may discipline licensed staff. While OCR typically levies civil penalties on organizations, individuals can face criminal prosecution for intentional misuse or sale of PHI.

What obligations do covered entities have concerning subcontractors?

Covered entities must require business associate agreements with BAs, and BAs must flow down equivalent terms to subcontractors that handle PHI. You should oversee subcontractor compliance through due diligence, audits, and enforcement of contractual safeguards.