The HITECH Act expanded the liability of business associates in a number of ways, primarily by making them face the same civil and criminal liability as do covered entities, as well as by making them responsible for complying with the Security Rule. Under the Omnibus Rule, subcontractors also must do the following: (1) perform a risk analysis and (2) adopt a policies and procedures that implement the technical, physical, and administrative safeguards and the documentation requirements of the Rule.
Before the HITECH Act, covered entities were liable for their business associate’s breach only if they had actual knowledge of the breach and didn’t do anything about it. Now, under that Act, covered entities are responsible for the actions of the business associate if the latter is the “agent” of the covered entity. The Omnibus Rule clarified when a business associate is an agent by referring to the federal common law of agency. If the covered entity has enough control to direct the business associate in the performance of its tasks, the business associate is an agent. A business associate is not an agent if the business associate agreement sets the terms and conditions of the contractual obligations and if the covered entity does not otherwise direct performance of the business associate’s duties.
The Omnibus Rule also made “downstream” business associates actual business associates with all of the same criminal and civil liabilities as the “upstream” business associate. Taken to its logical conclusion, if a covered entity hires a law firm to defend it in a malpractice case (the law firm would have to review the alleged victim’s protected health information (“PHI”) to defend the case) and the law firm hired an expert witness, that witness would also be a business associate with the same liability. And if the expert hired another expert to review the chart, that third-tier downstream business associate would also be a business associate with the same liabilities as the first-tier one, the law firm.
The Omnibus Rule also clarified the definition of “business associate” specifically to include patient safety organizations, health information exchanges, entities that offer personal health records to patients on behalf of a covered entity, and document storage entities that receive PHI.
The Minnesota Attorney General has already sued a business associate under the expanded civil liability, above. Is the “Law of Unintended Consequences” applicable here when Congress didn’t consider that business associates would stop serving covered entities or jack up their prices to cover their expanded liability and greater compliance costs? Or the costs to covered entities of getting the new business associate contracts in place (DHHS estimated the legal costs at $50 an hour for attorney review—yeah right)? And I thought that we were trying to save money in health care.