Agency Liability under the HIPAA Privacy and Security Rules | Practical Law

Agency Liability under the HIPAA Privacy and Security Rules | Practical Law

A discussion of how the federal common law rules of agency apply to HIPAA covered entities and business associates, for purposes of determining civil money penalties under the HIPAA privacy and security rules, under HHS final regulations issued in January 2013.  

Agency Liability under the HIPAA Privacy and Security Rules

Practical Law Legal Update 0-549-3389 (Approx. 4 pages)

Agency Liability under the HIPAA Privacy and Security Rules

by Practical Law Employee Benefits & Executive Compensation
Published on 19 Nov 2013USA (National/Federal)
A discussion of how the federal common law rules of agency apply to HIPAA covered entities and business associates, for purposes of determining civil money penalties under the HIPAA privacy and security rules, under HHS final regulations issued in January 2013.
Under HHS final regulations issued in January 2013 (Final Regulations), certain violations of the HIPAA privacy and security rules can be attributed to covered entities (CEs) and business associates (BAs). In addition to the Final Regulations, HHS addressed the extent of this liability in the preamble to the Final Regulations. In particular, a CE is liable for civil money penalties under the federal common law rules of agency for violations (acts or omissions) by the CE's agents, including BAs and workforce members, acting within the scope of the agency. This is the rule regardless of whether the CE has in place a compliant BA agreement (see Standard Document, HIPAA Business Associate Agreement). A BA can similarly be liable for civil money penalties for violations by the BA's agents, including subcontractors and workforce members, acting within the scope of the agency. (For a discussion of who is a subcontractor under the Final Regulations, see Practice Note, HIPAA Privacy Rule: Subcontractors Are Business Associates.)

CE or BA Liability and Agency Law

Whether a BA is a CE's agent is a fact-specific analysis that takes into account:
  • The terms of a BA agreement.
  • The full circumstances of the parties' ongoing relationship.
The essential factor in determining whether an agency relationship exists between a CE and its BA (or a BA and its subcontractor) is the authority of:
  • A CE to control the BA's conduct in performing services on the CE's behalf.
  • A BA to control the BA-subcontractor's conduct in performing services on the BA's behalf.

Determining Whether Sufficient Control Exists

According to HHS, a CE's authority to give interim instructions or directions is the type of control that distinguishes CEs in agency relationships from those in non-agency relationships. In general, a BA is not an agent if:
  • It enters into a BA agreement with a CE that sets terms creating contractual obligations between the two parties.
  • The only avenue of control is for a CE to:
    • amend the terms of the agreement; or
    • sue for breach of contract.
In contrast, a BA would likely be a CE's agent if:
  • It enters into a BA agreement with a CE that grants the CE authority to direct the performance of the BA's service after the relationship was established.
  • A CE contracts out or delegates a particular obligation under the HIPAA rules to its BA (depending on the right or authority to control the BA's conduct in performing the delegated service, based on the CE's right to give interim instructions).
For example, assume that the terms of BA agreement between a CE and a BA require the BA to make available protected health information (PHI), under 45 C.F.R. § 164.524, based on instructions to be provided by (or under the direction of) a CE. This BA agreement provision would create an agency relationship between the CE and BA, as to this activity, because the CE has a right to give interim instructions and direction during the course of the parties' relationship.
The following principles apply in determining whether an agency relationship exists:
  • The manner and method in which a CE actually controls the service provided is determinative.
  • The terms, statements or labels given to the parties (for example, independent contractor) are not determinative.
  • The type of service and skill level required to perform the service are relevant factors in determining whether a BA is an agent. For example, a BA hired to perform de-identification of PHI for a small provider probably would not be an agent because the small provider would likely lack the expertise to provide interim instructions to the BA regarding this authority.
  • An agency relationship would not likely exist when a CE is legally or otherwise prevented from performing the service or activity performed by its BA.
In addition, a BA can be a CE's agent:
  • Despite the fact that a CE does not retain the right or authority to control every aspect of its BA's activities.
  • Even if a CE does not exercise the right of control, but evidence exists that it holds the authority to exercise that right.
  • Even if a CE and its BA are separated by physical distance (for example, if the CE and BA are located in different countries).

Defining the Scope of the Agency Relationship

In determining the scope of the agency relationship, the following factors apply:
  • The time, place and purpose of a BA agent's conduct.
  • Whether a BA agent engaged in a course of conduct subject to a CE's control.
  • Whether a BA's conduct is commonly done by a BA to accomplish the service performed on a CE's behalf.
  • Whether the CE reasonably expected that a BA agent would engage in the conduct at issue.
HHS takes a relatively broad view in characterizing the scope of the agency relationship. In general, according to HHS, a BA agent's conduct falls within the scope of agency when the conduct occurs during the performance of the assigned work or incident to that work. This rule applies regardless of whether:
  • The work was done carelessly.
  • A mistake was made in performing the work.
  • The BA disregarded a CE's specific instruction.
For example, a BA agent would likely be acting within the scope of the agency if it impermissibly disclosed more than the minimum necessary information to a health plan for purposes of payment, even if the disclosure is contrary to the CE's clear instructions. In contrast, a BA agent's conduct would generally fall outside the scope of agency when either:
  • The BA agent's conduct is solely for its own benefit (or that of a third party).
  • It pursues a course of conduct not intended to serve any purpose of the CE.