In an earlier post, I discussed the HITECH Act provision under the federal stimulus legislation that will require HIPAA business associates to comply with the requirements of the HIPAA Security Rule. The HITECH Act takes a different (and less direct) approach to business associate obligations under the HIPAA Privacy Rule.
The HITECH Act requires the business associate to only use or disclose protected health information ("PHI") consistent with its obligations under its business associate agreement with a covered entity (the provisions of which are dictated by the Privacy Rule). Therefore, if a business associate violates the terms of its business associate agreement, the business associate may be subject to the same civil and criminal penalties under HIPAA as a covered entity who violated the Privacy Rule. It's also important to note that the HITECH Act substantially increases the civil penalties that may be imposed for HIPAA violations.
The bottom line is this -- commencing February 17, 2010, a business associate's violation of a HIPAA business associate agreement is a violation of law that may result in civil or criminal sanctions.