The Omnibus Rule, fleshing out the HIPAA changes in the HITECH Act, clarified when covered entities and business associates would be liable for breaches of “downstream” business associates. The Omnibus Rule makes covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance with the federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.

DHHS noted that the essential factor in determining whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) is the right or authority of a covered entity to control the business associate’s conduct in the course of performing a service on behalf of the covered entity. The right or authority to control the business associate’s conduct also is the essential factor in determining whether an agency relationship exists between a business associate and its business associate subcontractor. Thus, if the only authority that the covered entity or business associate has is to specify the business associate’s duties in the business associate agreement and to fire the business associate or sue it for breach of contract if it does not perform, that degree of authority would indicate that no agency relationship existed. If, however, the business associate contract required the business associate to perform some service involving PHI “as specified by the covered entity (or upstream business associate), then an agency relationship would exist. DHHS noted that several factors are important to consider in any analysis to determine the scope of agency: (1) time, place, and purpose of a business associate agent’s conduct; (2) whether a business associate agent engaged in a course of conduct subject to a covered entity’s control; (3) whether a business associate agent’s conduct is commonly done by a business associate to accomplish the service performed on behalf of a covered entity; and (4) whether or not the covered entity reasonably expected that a business associate agent would engage in the conduct in question.

Two U.S. Supreme Court cases specify the federal common law of agency. In Community for Creative Non-Violence v. Reid, 490 U.S. 730 (1989), and Nationwide Mut. Ins. Co. v. Darden, 112 S.Ct. 1344 (1992), the U.S. Supreme Court set forth 13 factors as constituting a non-exhaustive list of factors to consider when applying the common law agency test:

1. Hiring party’s right to control the manner and means by which the product is accomplished.

2. Skill required.

3. Source of the instrumentalities and tools.

4. Location of the work.

5. Duration of the relationship between the parties.

6. Whether the hiring party has the right to assign additional projects to the hired party.

7. Extent of the hired party’s discretion over when and how long to work.

8. Method of payment.

9. Hired party’s role in hiring and paying assistants.

10. Whether the work is part of the regular business of the hiring party.

11. Whether the hiring party is in business.

12. Provision of employee benefits.

13. Tax treatment of the hired party.

Whether a covered entity qualifies as having an agency relationship with a business associate or a business associate subcontractor will depend on the facts and circumstances of the particular arrangement, but parties entering into business associate relationships should carefully consider the above factors when deciding the terms of the relationship.