Home > Legal Library > Article




Join Matindale-Hubbell Connected


The HIPAA Omnibus Rule: Covered Entity Liability for Business Associate Actions




by:
Tricia A. Asaro
Greenberg Traurig, LLP - Albany Office

 
September 10, 2013

Previously published on September 9, 2013

In January of this year, the U.S. Department of Health and Human Services (HHS) issued new Omnibus regulations that strengthen the privacy and security protections established under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).  These regulations will have wide-ranging implications for covered entities and business associates, which are required to comply with most provisions of the Omnibus regulations by September 23, 2013.  This Alert is part of a continuing series of Alerts that highlight compliance issues in advance of the September 23rd compliance date.

One of the important changes under the Omnibus rule relates to covered entities’ liability for the conduct of their business associates.  Prior to the promulgation of the new regulations, covered entities could not be held liable for their business associates’ HIPAA violations if the covered entity had an appropriate business associate agreement in place and either did not know of the business associate’s material breach of the agreement or took reasonable steps to cure the breach and terminated the agreement or reported the problem to HHS if such steps were unsuccessful.

The Omnibus rule removed this safe harbor.  A covered entity can now be held liable for the acts or omissions of its business associates that are acting as the covered entity’s “agent,” as determined under the federal common law of agency.  This agent liability also extends to a business associate for the actions or omissions of its subcontractors.

Determining whether an agency relationship exists under federal common law will necessarily be a fact specific inquiry.  The terms of the relevant business associate agreement, as well as the totality of the circumstances surrounding the parties’ relationship, will need to be considered.  HHS has indicated that the essential factor in determining whether an agency relationship exists is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity.  However, a number of other factors must also be considered, including: (1) the time, place and purpose of the business associate’s conduct; (2) whether the business associate engaged in a course of conduct subject to the covered entity’s control; (3) whether services provided by the business associate are commonly performed by business associates on behalf of covered entities; and (4) whether or not the covered entity would reasonably expect the business associate to engage in the conduct in question.  Ultimately, the more discretion and independence the business associate has in performing functions for the covered entity, the less likely it is that an agency relationship exists.

To prepare for this change under the Omnibus rule, covered entities and business associates should review their HIPAA compliance programs and the HIPAA compliance programs of their downstream business associates and subcontractors to ensure HIPAA and HITECH compliance.  To avoid the creation of a possible agency relationship, it may also be desirable to amend business associate agreements to give business associates and subcontractors control over their handling of HIPAA related functions.



 

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.
 

View More Library Documents By...

 
Practice Area
 
Health Care
 
Greenberg Traurig, LLP Overview