This post marks the beginning of a new series on this blog covering various frequently asked questions regarding the Health Insurance Portability and Accountability Act (HIPAA). There are many questions regarding HIPAA applicability, implementation, and liability that come up repeatedly. We plan to use this series to discuss and analyze certain of these FAQs. We are kicking off this feature with a post regarding HIPAA liability. Specifically, are Covered Entities liable for their Business Associates’ HIPAA violations?
Generally speaking, Covered Entities are liable for their Business Associates’ HIPAA violations in accordance with the federal common law of agency. In other words, if a Covered Entity controls how a Business Associate performs its services, the Covered Entity can be held responsible for civil money penalties assessed in response to an act or omission of the Business Associate in the scope of such agency relationship that constitutes a violation of HIPAA. Such control may exist if the Covered Entity dictates the manner and means by which the Business Associate performs its work, including but not limited to: skills required; tools and materials utilized; specific timing and location of work; discretion over modifications; and/or personnel involved. Often, Covered Entities utilize Business Associate Agreements (BAAs) to clarify that no agency relationship exists between the parties. Such language may be helpful but it will likely not be dispositive, since, if needed, a facts and circumstances analysis would be undertaken to determine whether a de facto agency relationship existed between the parties.
These same principles extend to Business Associates and their Subcontractors as well. A Business Associate is liable for its Subcontractors’ HIPAA violations that occur in the scope of an agency relationship between the parties. In such case, the Business Associate may be responsible for paying a civil money penalty assessed to its Subcontractor for a HIPAA violation that occurred while the Subcontractor was the Business Associate’s agent.
Liability stemming from agency is a relatively new concept to HIPAA; it was codified as part of the Final HIPAA Omnibus Rule, passed in 2013. Many Covered Entities and their advocates were opposed to this amendment to the law due to concerns about the ambiguity of whether an agency relationship exists. Because of the potential of this ambiguity, it is important for Covered Entities to understand liability they could incur and to structure relationships with Business Associates accordingly.
Be sure to check back next week for another post in the HIPAA FAQs series.