Under the HIPAA Privacy Rule, a covered entity may, in some circumstances, be liable for its business associate breach under the business associate agreement.
When May a Covered Entity be Liable for a Business Associate Breach of the Business Associate Agreement?
A covered entity may be liable for business associate misconduct or violations when:
-
- The covered entity knew of a pattern of activity or practice of the business associate that constituted a material (meaningful) breach or violation of the business associate agreement; and
- Failed to take reasonable steps to cure the breach or end the violation, or, if these measures were unsuccessful, failed to terminate the agreement.
When is a Covered Entity Deemed to Have Knowledge of a Business Associate Breach?
A covered entity is deemed to “know” of a violation by a business associate, if the covered entity has substantial and credible evidence of a violation.
While a covered entity is not required under HIPAA to actively monitor a business associate, the covered entity should:
- Investigate complaints or other information that contain substantial and credible evidence of a violation; and
- Act upon any knowledge of such violation that it possesses.
When Else May a Covered Entity be Liable for a Business Associate Breach?
If the business associate agreement relationship is one under which the business associate’s work or services are performed under the control of the principal, and on behalf of the principal, what has been created is essentially an “agency” relationship.
Under the law of agency, a covered entity may be liable for a business associate’s acts or omissions, the law of agency states that if one party (called a principal) authorizes another party (called an agent) the right to perform work or services under the control of the principal, and on behalf of the principal, the principal may be “vicariously liable” (that is, liability will be legally imputed, or attributed, to the principal, because the principal is in a superior legal relationship to the agent by virtue of the principal’s ability to direct the agent’s work performance) for wrongdoing committed by the agent.
Under HIPAA, a covered entity may be vicariously liable for civil monetary penalties imposed against the business associate, if:
- The business associate commits a violation under the agreement that results in OCR imposing a civil monetary fine; and
- The violation was committed within the scope of the principal-agent relationship (that is, within the scope of what the principal authorized the agent to do under the business associate agreement).
Is There a Way to Prevent Vicarious Liability?
Yes. Simply put, to avoid vicarious liability, do not enter into a business associate agreement that gives you the right to control the business associate’s day-to-day work performance. Do not include language in the agreement that suggests or implies such a right exists.
Instead, as the covered entity, ensure that the business associate agreement clearly identifies the business associate as an independent contractor, not an agent, and that the covered entity does not control the actions or operations of the business associate or contractor. As a general rule, under an independent contractor relationship, the party contracting for services (here, the covered entity) is not liable for the independent contractor’s (the business associate’s) wrongdoing.