In January of this year, the U.S. Department of Health and Human Services (HHS) issued new Omnibus regulations that strengthen the privacy and security protections established under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). These regulations will have wide-ranging implications for covered entities and business associates, which are required to comply with most provisions of the Omnibus regulations by September 23, 2013. This Alert is part of a continuing series of Alerts that highlight compliance issues in advance of the September 23rd compliance date.
One of the important changes under the Omnibus rule relates to covered entities’ liability for the conduct of their business associates. Prior to the promulgation of the new regulations, covered entities could not be held liable for their business associates’ HIPAA violations if the covered entity had an appropriate business associate agreement in place and either did not know of the business associate’s material breach of the agreement or took reasonable steps to cure the breach and terminated the agreement or reported the problem to HHS if such steps were unsuccessful.
The Omnibus rule removed this safe harbor. A covered entity can now be held liable for the acts or omissions of its business associates that are acting as the covered entity’s “agent,” as determined under the federal common law of agency. This agent liability also extends to a business associate for the actions or omissions of its subcontractors.
Determining whether an agency relationship exists under federal common law will necessarily be a fact specific inquiry. The terms of the relevant business associate agreement, as well as the totality of the circumstances surrounding the parties’ relationship, will need to be considered. HHS has indicated that the essential factor in determining whether an agency relationship exists is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. However, a number of other factors must also be considered, including: (1) the time, place and purpose of the business associate’s conduct; (2) whether the business associate engaged in a course of conduct subject to the covered entity’s control; (3) whether services provided by the business associate are commonly performed by business associates on behalf of covered entities; and (4) whether or not the covered entity would reasonably expect the business associate to engage in the conduct in question. Ultimately, the more discretion and independence the business associate has in performing functions for the covered entity, the less likely it is that an agency relationship exists.
To prepare for this change under the Omnibus rule, covered entities and business associates should review their HIPAA compliance programs and the HIPAA compliance programs of their downstream business associates and subcontractors to ensure HIPAA and HITECH compliance. To avoid the creation of a possible agency relationship, it may also be desirable to amend business associate agreements to give business associates and subcontractors control over their handling of HIPAA related functions.