Blog: HIPAA FAQ Series: Are Covered Entities Liable for Business Associates’ HIPAA Violations?

Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

This post marks the beginning of a new series on this blog covering various frequently asked questions regarding the Health Insurance Portability and Accountability Act (HIPAA).  There are many questions regarding HIPAA applicability, implementation, and liability that come up repeatedly.  We plan to use this series to discuss and analyze certain of these FAQs.  We are kicking off this feature with a post regarding HIPAA liability.  Specifically, are Covered Entities liable for their Business Associates’ HIPAA violations?

Generally speaking, Covered Entities are liable for their Business Associates’ HIPAA violations in accordance with the federal common law of agency.  In other words, if a Covered Entity controls how a Business Associate performs its services, the Covered Entity can be held responsible for civil money penalties assessed in response to an act or omission of the Business Associate in the scope of such agency relationship that constitutes a violation of HIPAA.  Such control may exist if the Covered Entity dictates the manner and means by which the Business Associate performs its work, including but not limited to: skills required; tools and materials utilized; specific timing and location of work; discretion over modifications; and/or personnel involved.   Often, Covered Entities utilize Business Associate Agreements (BAAs) to clarify that no agency relationship exists between the parties.  Such language may be helpful but it will likely not be dispositive, since, if needed, a facts and circumstances analysis would be undertaken to determine whether a de facto agency relationship existed between the parties.

These same principles extend to Business Associates and their Subcontractors as well.  A Business Associate is liable for its Subcontractors’ HIPAA violations that occur in the scope of an agency relationship between the parties.  In such case, the Business Associate may be responsible for paying a civil money penalty assessed to its Subcontractor for a HIPAA violation that occurred while the Subcontractor was the Business Associate’s agent.

Liability stemming from agency is a relatively new concept to HIPAA; it was codified as part of the Final HIPAA Omnibus Rule, passed in 2013.  Many Covered Entities and their advocates were opposed to this amendment to the law due to concerns about the ambiguity of whether an agency relationship exists.  Because of the potential of this ambiguity, it is important for Covered Entities to understand liability they could incur and to structure relationships with Business Associates accordingly.

Be sure to check back next week for another post in the HIPAA FAQs series.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide