From:                              Health Information and Technology Practice Group Leadership <>

Sent:                               Monday, January 28, 2013 2:27 PM


Subject:                          Agency Comes of Age: Beware Increased Liability Exposure under HIPAA


Categories:                     Law practice contact


American Health Lawyers Association

Practice Groups - Email Alert


To:    AHLA Practice Group Members

From: Health Information and Technology Practice Group
         Patricia Markus, Chair
         Robert Coffield, Vice Chair of Membership
         Patricia King, Vice Chair of Research and Website
         Amy Leopard, Vice Chair of Educational Programs
         Daniel Orenstein, Vice Chair of Strategic Activities
         Linda Ross, Vice Chair of Publications

Date: January 28, 2013

Agency Comes of Age: Beware Increased
Liability Exposure under HIPAA

By Martha Ann Knutson*

One of the most significant changes made by the Omnibus Health Insurance Portability and Accountability Act (HIPAA) Final Rule (Final Rule) is the removal of an exception in 45 C.F.R. Section 160.402(c) that addresses liability for civil monetary penalties (CMPs) when a HIPAA violation is "attributed" to a covered entity (CE). This section still imposes liability "in accordance with the federal common law of agency" based on acts and omissions of the CE's "agents." Previously the regulation provided that a CE was not responsible for the missteps of business associate (BA) agents that were unknown to the CE. This exception now has been removed. Under the Final Rule, both CEs and BAs will face potential CMP liability for their agents' acts or omissions within the scope of the agency.1

The "Federal Common Law of Agency"

The U.S. Department of Health & Human Services' Office for Civil Rights (OCR) continues to apply the federal "common law" on this issue rather than state standards that normally govern contracts, in order that federal statutes may be applied uniformly nationwide.

But We Said "Independent Contractor"

In the preamble to the Final Rule, OCR clarifies that labels used by the parties in a BA agreement or underlying contract do not control whether OCR will find a principal/agent relationship between the parties. Instead, the existence of agency is a "fact specific" analysis. The "essential factor" will be the CE's or BA's right or authority to control performance by the contractor, specifically the right to give the contractor interim instructions or directions. If the only way the CE or BA can exercise control over the contractor is to terminate the contract or sue the contractor for non-performance, then there is no agency.

If, however, the contract provides that a service will or may be subject to specific directions from the CE (or the BA in its agreement with a subcontractor), then there is probably an agency relationship. The CE or BA need not retain the right to control every aspect of the contractor's performance, actually exercise such a right, or even be in the same country to create an agency relationship.

In sum, the existence of an agency relationship is determined by a "totality of the circumstances" test, including whether the CE or BA has the specialized skill to provide interim instructions to its contractor and whether the CE or BA legally can perform the service that the contractor provides. If the potential principal has neither the expertise nor the legal right to perform the service, its contractor is likely not an "agent."

Further, regardless of the wording in the agreement, if the CE delegates one of its particular obligations under HIPAA to a BA, an agency relationship has been created. Thus, for example, if a BA is contracted to deliver a CE's notice of privacy practices and fails to do so, this failure will be "attributed" to the CE--the principal--for purposes of assessing a CMP.

"Outside the Scope of the Agency" Defense

For liability to attach, the agent's misstep also must occur within the scope of the agency relationship. Defining the scope of the agency created by a particular arrangement is also a fact-specific inquiry requiring an evaluation of various factors, including:

  1. The time, place, and purpose of the agent's conduct;
  2. Whether the agent is engaged in a course of conduct subject to the principal's control;
  3. Whether the agent's conduct is commonly done by an agent to accomplish the service performed on behalf of the principal; and
  4. Whether or not the principal reasonably expected that an agent would engage in the conduct in question.

Once again, the terms of the agreement are not dispositive of whether a particular act or omission is outside the scope of the agency. Rather, an agent's conduct generally is outside the scope of agency when its conduct is solely for its own benefit (or that of a third party), or when the agent pursues a course of conduct not intended to serve any purpose of the principal.

Accordingly, a BA that negligently discloses protected health information (PHI) in the course of its duties may create CMP liability for its CE, but a BA that discloses PHI to a third party for profit would not.2

Workforce Member Agents

Agency liability is not a consideration with regard to BAs alone. Workforce members of CEs and BAs generally qualify as agents as well, since they must be under the "direct control"3 of the CE (or BA), even if they are not employees.

Agency and Breaches

The Final Rule also incorporates the "federal common law of agency" for determining when a CE has knowledge of a breach of unsecured PHI.4 If a BA becomes aware of a breach and the BA is an agent, the knowledge is imputed to the CE.

*We would like to thank Martha Ann Knutson, Esquire (Attorney and Counselor at Law, San Diego, CA), for authoring this email alert. We would also like to thank the Health Information and Technology Practice Group leadership for sharing this alert with the rest of AHLA's Practice Groups.

1 OCR's discussion and guidance on this topic appears at 78 Fed. Reg. 5566, 5580-5582 (January 25, 2013); see also 70 Fed. Reg. 20224, 20237 (April 18, 2005) [proposed enforcement rule]--affirmative defense based on lack of knowledge and 71 Fed. Reg. 8390, 8402-8403 (Feb. 16, 2006) [final enforcement rule].
2 See also 75 Fed. Reg. 40878-79 (July 14, 2010) [proposed HITECH rule] (employee's knowledge of an intentional violation not imputed to the principal).
3 See 45 C.F.R. 160.103 (definition of "workforce").
4 45 C.F.R. 164.410(a)(2) and 78 FR 5655-5656.

Member benefit educational opportunity:
Be sure to register for the Health Information and Technology Practice Group mid-year luncheon presentation, entitled "HIPAA Security Risk Assessment" (February 13), at the Hospitals and Health Systems Law Institute (February 12-13, Phoenix, AZ).


Disclaimer: The information obtained by the use of this service is for reference use only and does not constitute
the rendering of legal, financial, or other professional advice by the American Health Lawyers Association.

2013 American Health Lawyers Association