Avoiding Liability for Business Associates' Breaches: Adjustments and Ongoing Strategies

by Jonathan P. Tomes

This is the third installment in a three-part article series on avoiding liability for breaches by business associates. This article will discuss adjustments needed in the business associate relationship, as well as ongoing strategies for adapting to the recent changes.

For background on the changes to the business associate relationship in the HITECH Act and the Omnibus Final Rule, see the first installment in this series. For guidance on how to avoid liability for breaches by business associates, see the second installment in this series.

Adjustments and Ongoing Strategies

The changes to the business associate relationship necessitated by the rule changes could result in several consequences for which health information management professionals should be prepared.

  • Business associates that perform services for other entities besides covered entities, such as a document destruction service that can also destroy bank, savings and loan, and other businesses’ records, may simply stop serving covered entities and upstream business associates. A transcription service, on the other hand, may have no business other than that provided to covered entities and thus have to sign the new business associate agreements.
  • Business associates may have to raise their fees to cover the increased compliance and liability costs inherent in the changed relationship.
  • Covered entities and upstream business associates may have to bring business associate functions back inside the facility. A hospital, for example, may choose to open up a transcription department or have a transcription subset of the health information management department if its transcription service either refuses to sign the new business associate contract or demands more compensation for its services. The uncertainty of whether the covered entity will be liable under the federal law of agency may also be a factor in deciding to bring services back within the fold. Does existing insurance, for example, cover a breach by a business associate that the covered entity may be liable for with only the legal concept of the federal common law of agency as support?
  • Increased legal fees for the review of business associate agreements and litigation involving downstream business associate liability should also be taken into consideration. Covered entities may consider having competent counsel review the new contracts required by the HITECH Act and Omnibus Rule because of the increased liability faced by business associates and the covered entities that they serve, particularly with the expansion of liability under the federal common law of agency.
  • The need for more liability insurance that covers liability for breaches by downstream business associates should also be taken into consideration.

Covered entities cannot be complacent about the current level of compliance of business associates. In the required cost-benefit analysis of the Omnibus Final Rule, the Department of Health and Human Services (HHS) assumed that most business associates currently implement security measures that meet the Security Rule requirements.1, 2 Although some business associates have such measures in place—such as healthcare clearinghouses, billing services, and transcription services—business associates with services less specific to healthcare—such as copy services—may not have implemented these measures. Subcontractors in particular are less likely to have such a level of security compliance. in the Federal Register, HHS noted:

[W]e recognize that some smaller or less sophisticated business associates may not have engaged in the formal administrative safeguards required by the HIPAA Security Rule, and may not have written policies and procedures for compliance. For these business associates, we estimate that the costs to come into compliance with the Security Rule will be between approximately $22.6 million and $113 million. Annualizing the midpoint estimate ($67.8 million) at 3 percent and 7 percent produces costs of $7.9 million and $9.7 million, respectively.3

HHS acknowledged that some business associates may make such efforts for the first time now that they and their subcontractors are subject to direct liability for HIPAA breaches. For these business associates, HHS estimated that the costs to bring subcontracts into compliance with the business associate agreement requirements will be between $21 million and $42 million. The annualized cost at 3 percent and 7 percent will results in costs of $3.7 million and $4.5 million, respectively.4

Considering that HHS notes that the rule also applies to approximately 1–2 million business associates (this number may overestimate the number of business associates, as some entities may be business associates to multiple covered entities) and a number of subcontractors that HHS could not estimate, these annualized costs seem to be wishful thinking.  HHS has also stated that it assumes that no more than 25 percent are likely to incur some cost to document their administrative safeguards and their policies and procedures as now required by statute and these regulations—and assumption difficult to definitively support.5

This notion brings up the issue of whether covered entities must audit their business associates for HIPAA compliance. If a covered entity exercises enough control over a business associate that it qualifies as an agent of the covered entity under the federal common law of agency, auditing the business associate’s HIPAA compliance may be necessary as a risk management measure. Another option would be to require the business associate to provide an independent audit of its HIPAA compliance as a condition of being hired to provide services involving protected health information.

Note that a covered entity does not need to have a business associate agreement in place with subcontractors of its business associates—the business associate agreement must require the business associates to do so.6

The Omnibus Rule adds new transition provisions at § 164.532(d) and (e) to allow covered entities and business associates (and business associates and business associate subcontractors) to continue to operate under certain existing contracts for up to one year beyond the compliance date of the revisions to the Rules. HHS provided the following guidance on those existing contracts:

With respect to those business associate agreements that already have been renegotiated in good faith to meet the applicable provisions in the HITECH Act, covered entities should review such agreements to determine whether they meet the final rule’s provisions. If they do not, these covered entities then have the transition period to make whatever additional changes are necessary to conform to the final rule. The transition period is also available to those agreements that require compliance with all applicable laws (to the extent the agreements were otherwise in compliance with the HIPAA Rules prior to this final rule).7

Considering that the compliance date for these Omnibus Final Rule business associate changes was September 23, 2013, the following steps should be taken quickly if organizations have not already begun the process:

  • Identify business associates.
  • Identify when business associate agreements were lat updated.
  • Determine whether business associate agreements are comprehensive and incorporate the Omnibus Final Rule changes.
  • If business agreements are not comprehensive and fail to incorporate the Omnibus Final Rule changes, draft compliant ones and obtain legal review in time to have them in place as soon as possible. Remember that the Omnibus Final Rule makes covered entities liable for business associate breaches even if they do not have a compliant business associate agreement in place.
  • Have business associate agreements in place as soon as possible to allow business associates to get compliant business associate agreements in place with their subcontractors.
  • Review insurance to determine whether a breach by a business associate is covered and, if not, whether the business associate agreement should require indemnification (indemnification may be a good thing to include regardless of insurance, as policies may have deductibles or a policy limit that the breach’s damages could exceed).
  • Set up a suspense file for business associate agreements that qualify for the extension of the compliance date to ensure that they are updated in a timely fashion.
  • Consider whether to require business associates to provide proof that they are HIPAA-compliant or whether you need to audit them.
  • If a business associate breach has occurred, get all over it! Mitigating the harm of a breach is the best way to minimize any potential liability.


Tomes, Jonathan P. How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know. Overland Park, KS: Veterans Pres, 2011.


[1] Executive Orders 12866 and 13563.

[2] Department of Health and Human Services. “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” Federal Register. Vol. 78, No. 17, January 25, 2013. http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/html/2013-01073.htm.

[3] Ibid.

[4] Ibid.

[5] Ibid.

[6] 45 C.F.R. § 164.308(b)(1).

[7] Ibid, Department of Health and Human Resources.

Jonathan P. Tomes (jon@tomesdvorak.com) is a partner at Tomes & Dvorak, Chartered, in Overland Park, KS, president of EMR Legal, Inc., a HIPAA consulting company, and the author of more than 60 books and dozens of articles on medical records law and HIPAA.

Original source:
Tomes, Jonathan P.. "Avoiding Liability for Business Associates' Breaches: Adjustments and Ongoing Strategies" (Journal of AHIMA), January 2014.