HIPAA Breaches: Times you can be held liable for a business associate’s HIPAA breach

At some point, all healthcare providers need to engage third parties to perform activities or functions on their behalf. In so doing, providers need to ensure those third parties maintain confidentiality of information learned in the course of their services. Providers must be even more vigilant when those third parties have access to certain patient information.

Providers who are considered covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are required to properly protect an individual’s health information in compliance with the requirements set forth in the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (the HIPAA Rules).

Specifically, the Privacy Rule allows such access to and disclosure of protected health information (PHI) by third parties, defined as business associates, only if the provider obtains satisfactory assurances in writing from the business associate that it will:

• use the PHI only for the purpose for which it was engaged by the provider,
• safeguard the information from misuse and
• help the provider comply with some of its duties under the Privacy Rule.

The provider, and in certain situations its business associate, have direct liability under HIPAA, meaning that should either party breach certain aspects of the HIPAA Rules, the HHS Office for Civil Rights (OCR) may bring an enforcement action directly against that party. Recently, the OCR issued a fact sheet that specifically identifies the only situations where a business associate has direct liability under HIPAA.

Those 10 situations are:

The fact sheet is important because it reminds us there are situations in which a business associate could cause a breach of HIPAA but not be directly liable to OCR. In those situations, it is the provider who would likely be directly liable to OCR for the business associate’s actions.

As an example, the HIPAA Rules prohibit a provider from charging fees to their patients in excess of a specified limitation for copies of or access to their PHI. In the event the business associate agreement authorizes the business associate to fulfill a request by an individual for access to his or her PHI, and the business associate charges a fee that exceeds the amount permitted under HIPAA, then the provider would be directly liable to OCR for those actions.

To address these situations, providers should incorporate language into the indemnification provision of their business associate agreements requiring the business associate indemnify the provider “for any actions or omissions of the business associate that cause the provider to fail to satisfy its obligations under the HIPAA Rules.” Additionally, to the extent a provider has insurance covering HIPAA-related liability, the provider should seek to ensure it includes liability caused by actions or omissions of its business associates.

About the Author

Rose J. Willis, JD, is a Member at Dickinson Wright PLLC. She focuses her practice on healthcare regulatory, transactional and corporate law in her representation of healthcare providers and suppliers and other participants in the healthcare industry. Rose regularly counsels healthcare industry clients on matters involving mergers and acquisitions, software agreements, physician referral rules, certificates of need, privacy and security of health information, corporate documents and compliance program elements.