Agency in HIPAA Omnibus Rule
Whether or not an entity qualifies as a Business Associate or an Agent could potentially be very important for a medical practice.
Why? Imagine the following scenario:
You set up a relationship with a Business Associate (let’s say, an outsourced Billings provider). The Billings provider has a data breach. If the Billings provider qualifies as a Business Associate, then the regulator will go directly after the Business Associate (assuming that the practice was being compliant.)
However, under the new HIPAA Omnibus Rule, if the Business Associate qualifies as an Agent, then the medical practice is liable for all of their fines. This little change routes even more compliance fines directly to medical practices. (page 60)
What is an Agent?
Agency describes the relationship between a medical practice and another actor. An ‘agent’ is someone acting on behalf of a ‘principal’ and is directly accountable to the principal. A Business Associate, by contrast, is not directly accountable to the principal.
Are they an Agent or a Business Associate?
If it’s a particularly sticky issue, you should probably talk to your lawyer. If you don’t know a good Health IT lawyer, contact us, and we can put you in good hands.
But as a general rule, here’s a way to delineate between your Agents and Business Associates. Ask yourself – how much control do I have over this relationship? If you’re directing an extensive amount of the relationship, wherein the other actor is an extension of your own business, they’re probably an Agent. If the relationship is more contractual, and more like you’re purchasing a product or service, then they’re probably a Business Associate.
What does this rule modification mean?
If you decide to outsource some component of your practice, it’s impossible to both control the relationship and avoid fines from the relationship.
Moving forward, Covered Entities should evaluate the nature of their relationships with their Business Associates, looking at how much risk they’re placing themselves in.
Covered Entities should also make sure that their Business Associates notify them well within their 60 day requirement to do so in the event of a breach. The reason? If it is later determined that the Business Associate was in fact an Agent, then that 60 days is the limit wherein the Covered Entity has to notify HHS and their patients. It’d be pretty bad to be notified on the 59th day, and then have exactly 1 day to notify HHS, as well as your own patients.
Return to EMRSOap’s Omnibus Guide