Practice Group Members
Information and Technology Practice Group
Robert Coffield, Vice
Chair of Membership
Patricia King, Vice
Chair of Research and Website
Amy Leopard, Vice
Chair of Educational Programs
Vice Chair of Strategic Activities
Linda Ross, Vice
Chair of Publications
Date: January 28, 2013
Agency Comes of
Age: Beware Increased
By Martha Ann Knutson*
One of the most significant changes made by the
Omnibus Health Insurance Portability and Accountability Act (HIPAA) Final
Rule (Final Rule) is the removal of an exception in 45 C.F.R. Section
160.402(c) that addresses liability for civil monetary penalties (CMPs)
when a HIPAA violation is "attributed" to a covered entity (CE).
This section still imposes liability "in accordance with the federal
common law of agency" based on acts and omissions of the CE's
"agents." Previously the regulation provided that a CE was not
responsible for the missteps of business associate (BA) agents that were
unknown to the CE. This exception now has been removed. Under the Final
Rule, both CEs and BAs will face potential CMP liability for their agents'
acts or omissions within the scope of the agency.1
The "Federal Common Law of
The U.S. Department of Health & Human Services'
Office for Civil Rights (OCR) continues to apply the federal "common
law" on this issue rather than state standards that normally govern
contracts, in order that federal statutes may be applied uniformly
But We Said "Independent
In the preamble to the Final Rule, OCR clarifies
that labels used by the parties in a BA agreement or underlying contract do
not control whether OCR will find a principal/agent relationship between
the parties. Instead, the existence of agency is a "fact
specific" analysis. The "essential factor" will be the CE's
or BA's right or authority to control performance by the contractor,
specifically the right to give the contractor interim instructions or
directions. If the only way the CE or BA can exercise control over the
contractor is to terminate the contract or sue the contractor for
non-performance, then there is no agency.
If, however, the contract provides that a service
will or may be subject to specific directions from the CE (or the BA in its
agreement with a subcontractor), then there is probably an agency
relationship. The CE or BA need not retain the right to control every
aspect of the contractor's performance, actually exercise such a right, or
even be in the same country to create an agency relationship.
In sum, the existence of an agency relationship is
determined by a "totality of the circumstances" test, including
whether the CE or BA has the specialized skill to provide interim
instructions to its contractor and whether the CE or BA legally can perform
the service that the contractor provides. If the potential principal has
neither the expertise nor the legal right to perform the service, its
contractor is likely not an "agent."
Further, regardless of the wording in the
agreement, if the CE delegates one of its particular obligations under
HIPAA to a BA, an agency relationship has been created. Thus, for example,
if a BA is contracted to deliver a CE's notice of privacy practices and
fails to do so, this failure will be "attributed" to the CE--the
principal--for purposes of assessing a CMP.
"Outside the Scope of the
For liability to attach, the agent's misstep also
must occur within the scope of the agency relationship. Defining the scope
of the agency created by a particular arrangement is also a fact-specific
inquiry requiring an evaluation of various factors, including:
- The time, place, and purpose of the agent's conduct;
- Whether the agent is engaged in a course of conduct
subject to the principal's control;
- Whether the agent's conduct is commonly done by an
agent to accomplish the service performed on behalf of the principal;
- Whether or not the principal reasonably expected
that an agent would engage in the conduct in question.
Once again, the terms of the agreement are not
dispositive of whether a particular act or omission is outside the scope of
the agency. Rather, an agent's conduct generally is outside the scope of
agency when its conduct is solely for its own benefit (or that of a third
party), or when the agent pursues a course of conduct not intended to serve
any purpose of the principal.
Accordingly, a BA that negligently discloses
protected health information (PHI) in the course of its duties may create
CMP liability for its CE, but a BA that discloses PHI to a third party for
profit would not.2
Workforce Member Agents
Agency liability is not a consideration with regard
to BAs alone. Workforce members of CEs and BAs generally qualify as agents
as well, since they must be under the "direct control"3
of the CE (or BA), even if they are not employees.
Agency and Breaches
The Final Rule also incorporates the "federal
common law of agency" for determining when a CE has knowledge of a
breach of unsecured PHI.4 If a BA becomes aware of a breach and
the BA is an agent, the knowledge is imputed to the CE.
*We would like to thank Martha Ann
Knutson, Esquire (Attorney and Counselor at Law, San Diego, CA), for
authoring this email alert. We would also like to thank the Health
Information and Technology Practice Group leadership for sharing this alert
with the rest of AHLA's Practice Groups.
1 OCR's discussion and guidance on this topic appears at
78 Fed. Reg. 5566, 5580-5582 (January 25, 2013); see also 70 Fed.
Reg. 20224, 20237 (April 18, 2005) [proposed enforcement rule]--affirmative
defense based on lack of knowledge and 71 Fed. Reg. 8390, 8402-8403 (Feb.
16, 2006) [final enforcement rule].
2 See also
75 Fed. Reg. 40878-79 (July 14, 2010) [proposed HITECH rule] (employee's
knowledge of an intentional violation not imputed to the principal).
45 C.F.R. § 160.103 (definition of "workforce").
4 45 C.F.R. § 164.410(a)(2) and 78 FR 5655-5656.
benefit educational opportunity:
Be sure to register
for the Health Information and Technology Practice Group mid-year luncheon
presentation, entitled "HIPAA Security Risk Assessment" (February
13), at the Hospitals
and Health Systems Law Institute (February 12-13, Phoenix, AZ).