Avoiding Liability for Business Associates' Breaches: Rule Changes Overview

by Jonathan P. Tomes

HIM professionals and privacy and security officers are likely already familiar with their facility’s business associates. But with the recent dramatic changes to the business associate relationship in the HITECH Act and the Omnibus Final Rule, there is plenty of new ground to cover. This three-part article series offers suggestions that health information management professionals may incorporate in managing these increased compliance burdens in order to protect both patient privacy and their organization’s interests. The three installments will cover background on these changes, guidance on how to avoid liability for breaches by business associates, and discussion on adjustments needed in the business associate relationship as well as ongoing strategies for adapting to the recent changes.

This first installment of the series will provide background on the changes to the business associate (BA) relationship in the HITECH Act and Omnibus Final Rule.

HITECH and Omnibus Rule Changes to the BA Relationship

In the HITECH Act, Congress effectively made HIPAA business associates—that is, persons or entities that provide a service for or on behalf of a covered entity other than the provision of healthcare—into covered entities, thereby expanding government regulation of healthcare to additional areas such as transcription services, copy services, billing services, and medical marketing services.1

In addition, the Omnibus Final Rule expanded the definition of “business associate” to mean a person or entity that creates, receives, maintains, or transmits protected health information (PHI) to perform certain functions or activities on behalf of a covered entity.

The final rule also adds a new category of services—patient safety activities—to the list of functions and activities that a person or an entity may undertake on behalf of a covered entity that gives rise to a business associate relationship. The following three categories of service providers are specifically identified as business associates under the final rule:2

  • Health information organizations, e-prescribing gateways, and other people or entities that provide data transmission services to a covered entity with respect to PHI and that require access on a routine basis to such PHI
  • People or entities that offer personal health records to one or more individuals on behalf of a covered entity
  • Subcontractors that create, receive, maintain, or transmit PHI behalf of business associates

The addition of subcontractors means that all requirements and obligations that apply to direct contract business associates of a covered entity also apply to all “downstream” service providers. Thus, the rule makes it clear that subcontractors face the same criminal and civil liability as do covered entities and “upstream” business associates and must follow those security and privacy rules applicable to business associates.

For another of the changes important to note, the HITECH Act and final rule not only expanded the list of entities that are defined as business associates, but also it expanded the liability for breaches of health information confidentiality. Before the HITECH Act, covered entities were only liable for the breach of one of their business associates if they had actual knowledge of the breach and did not take any action to remediate it.3 The HITECH Act and the Omnibus Final Rule, however, greatly expanded both business associate and covered entity liability for breaches by business associates. Under §13410 of the HITECH Act, a business associate is now directly liable for uses and disclosures of PHI that are not in accord with its business associate agreements or HIPAA’s rules.

Covered entities will also now be liable for breaches by business associates under the federal common law of agency.4 Such liability may include civil money penalties or the new federal lawsuit authorized by the HITECH Act, as well as the payment of damages in a lawsuit.5,6

The discussion of the rule set forth guidance on when a business associate of a covered entity or a business associate of a business associate is an agent so as to face this liability. The US Department of Health and Human Services (HHS) noted that the essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. The right or authority to control the business associate’s conduct also is the essential factor in determining whether an agency relationship exists between a business associate and its business associate subcontractor.

Thus, if the only authority that the covered entity or business associate has is to specify the business associate’s duties in the business associate agreement and to fire the business associate or to sue it for breach of contract if it does not perform, that level of authority would indicate that no agency relationship existed. See the side bar below for more on determining the presence of an agency relationship. If, however, the business associate contract required the business associate to perform some service involving PHI “as specified by the covered entity” (or upstream business associate), then an agency relationship would exist. HHS noted that several factors are important to consider in any analysis to determine the scope of agency:

  • The time, place, and purpose of a business associate agent’s conduct
  • Whether a business associate agent engaged in a course of conduct subject to a covered entity’s control
  • Whether a business associate agent’s conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity
  • Whether or not the covered entity reasonably expected that a business associate agent would engage in the conduct in question.
In Community for Creative Non-Violence v. Reid, 490 U.S. 730 (1989), and Nationwide Mut. Ins. Co. v. Darden, 112 S.Ct. 1344 (1992), the US Supreme Court set forth thirteen factors as constituting a non-exhaustive list of factors to consider when applying the common law agency test:

  1. Hiring party’s right to control the manner and means by which the product is accomplished.
  2. Skill required.
  3. Source of the instrumentalities and tools.
  4. Location of the work.
  5. Duration of the relationship between the parties.
  6. Whether the hiring party has the right to assign additional projects to the hired party.
  7. Extent of the hired party’s discretion over when and how long to work.
  8. Method of payment.
  9. Hired party’s role in hiring and paying assistants.
  10. Whether the work is part of the regular business of the hiring party.
  11. Whether the hiring party is in business.
  12. Provision of employee benefits.
  13. Tax treatment of the hired party.

HHS noted that a business associate can be an agent of a covered entity:7

  • Despite the fact that a covered entity does not retain the right or authority to control every aspect of its business associate’s activities
  • Even if a covered entity does not exercise the right of control but evidence exists that it holds the authority to exercise that right
  • Even if a covered entity and its business associate are separated by physical distance (such as if a covered entity and a business associate are located in different countries)

The second installment of this series will discuss specific ways to avoid liability for business associates’ breaches.


[1] 45 C.F.R. § 160.103

[2] 45 C.F.R. §§ 164.306, 164.314(a)

[3] 45 C.F.R. § 164.504(e)(1)

[4] Omnibus Rule § 160.402(c)

[5] Grunberger, Rachel and Dena Feldman. “Court Dismisses Minnesota AG’s HIPAA Enforcement Action Against Business Associate Following Settlement.” Inside Privacy. August 24, 2012. http://www.insideprivacy.com/health-privacy/court-dismisses-minnesota-ags-hipaa-enforcement-action-against-business-associate-following-settleme/.

[6] HITECH Act § 13410(e)

[7] Department of Health and Human Services. “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” Federal Register. Vol. 78, No. 17, January 25, 2013. http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/html/2013-01073.htm.

Jonathan P. Tomes (jon@tomesdvorak.com) is a partner at Tomes & Dvorak, Chartered, in Overland Park, KS, president of EMR Legal, Inc., a HIPAA consulting company, and the author of more than 60 books and dozens of articles on medical records law and HIPAA.

Original source:
Tomes, Jonathan P.. "Avoiding Liability for Business Associates' Breaches: Rule Changes Overview" (Journal of AHIMA), January 2014.