How to Limit Your Liabi the HITECH Act Omnib

Transcription

1 How to Limit Your Liabi the HITECH Act Omnib BY JAMES J. HENNELLY 1 James J. Hennelly Jeffrey J. Kimbell & Associates Washington, DC The new requirements under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) Omnibus Rule greatly expand the reach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 2 Covered entities under HIPAA now can be held liable for the actions or omissions not only of their business associates, but also subcontractors and vendors of those business associates. 3 While most attorneys, especially those who represent clients in the healthcare industry, have at least a basic understanding of HIPAA, many are surprised to learn that attorneys themselves can be considered business associates under HIPAA and now have certain responsibilities to protect individual health information under the Omnibus Rule. Even though the Department of Health & Human Services (HHS) Office for Civil Rights (OCR) has never brought an enforcement action against an attorney or law firm, failure to comply with HIPAA soon could result in civil monetary penalties for noncompliant law firms. This article first explains the expanded business associate provisions of the Omnibus Rule, including how covered entities liability for the acts or omissions of their business associates is limited to their agents acting within the scope of their agency. Second, this article looks at relevant federal common law of agency to illustrate the types of circumstances under which OCR is likely to consider an agency relationship to exist and to highlight some ambiguities in this agency approach. Third, this article discusses the unique problems attorneys representing covered entities or business associates face under the Omnibus Rule. For example, an attorney s interests when negotiating his business associate agreement with a client may conflict with her professional responsibilities as an attorney. Finally, this article presents solutions for covered entities and business associates and suggests ways to construct business associate agreements so as to avoid unanticipated liability under the Omnibus Rule. I. Background on HIPAA Congress enacted HIPAA in 1996 to improve the efficiency and effectiveness of the U.S. health care system and to protect the privacy of individually identifiable health information in the wake of advances in health information technology. 4 Title II of HIPAA, known as the Administrative Simplification provisions, requires providers, health insurance plans, and employers to adopt federal privacy protections for individually identifiable health information. 5 HHS subsequently published several key regulations implementing the HIPAA Administrative Simplification provisions. 6 Issued in 2000, the Privacy Rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health 140 / Journal of the MISSOURI BAR

2 lity Under us Rule care providers who conduct health care transactions electronically. 7 The Privacy Rule defines and limits the circumstances in which an individual s protected health information (PHI) may be used or disclosed by covered entities. 8 In 2003, HHS published the Security Rule, which requires covered entities to have appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. 9 Finally, the HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil monetary penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. 10 HHS OCR is responsible for administering and enforcing the Privacy and Security Rules through investigations and the imposition of civil monetary penalties. 11 A. Covered Entities As mentioned above, entities that must comply with the requirements under HIPAA are known as covered entities, defined in the Administrative Simplification provisions as either a health care provider that conducts certain transactions in electronic form, a health care clearinghouse, or a health plan. 12 For example, a health care provider that electronically transmits claims information directly or through an intermediary to a health plan is a covered entity under HIPAA. 13 Covered entities are required to protect the privacy and security of health information and provide individuals certain rights with respect to their PHI through compliance with the HIPAA Security, Privacy, and Enforcement Rules. 14 B. Business Associates Many covered entities use the services of a variety of other persons or businesses, known as business associates under HIPAA, to carry out some of their health care activities and functions. HIPAA permits a covered entity to disclose PHI to a business associate and allows the business associate to create, receive, maintain, or transmit PHI on behalf of the covered entity as long as the covered entity and business associate have a written business associate agreement. 15 The business associate agreement provides covered entities satisfactory assurances that the business associate will use the relevant health information only for purposes for which it was engaged by the entity and will safeguard the information from misuse. 16 Before the HITECH Act, typically only covered entities not their business associates were directly liable for violations of the HIPAA Privacy and Security Rules, assuming the parties had an adequate business associate agreement. II. The Omnibus Rule Ushers in Sweeping Changes for HIPAA Compliance for Business Associates Congress enacted the HITECH Act in 2009 as part of an effort to promote and expand the adoption of health information technology. 17 Among its more notable reforms were the incentives it gave providers to use electronic health records. 18 On January 17, 2013, HHS published its May-June 2014 / 141

3 long-awaited final rule implementing the HITECH Act to expand the reach of the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules. 19 Collectively, these regulations are known as the Omnibus Rule. 20 This section discusses the changes affecting the liability of covered entities and business associates under HIPAA and the circumstances under which a covered entity may be liable for the actions of its business associates. Under the Omnibus Rule, the HIPAA Privacy and Security Rules now apply to all business associates in the same way they previously did to covered entities. 21 This means that business associates can now be held directly liable for violating the HIPAA Privacy and Security Rules and subject to civil monetary penalties. 22 While a comprehensive discussion of the many changes the Omnibus Rule brings for business associates is beyond the scope of this article, it is worth summarizing the more relevant changes. A business associate is now directly liable for violating any of the administrative, physical, and technical requirements of the Security Rule. 23 Business associates and subcontractors of business associates should already have in place security practices that either comply with the HIPAA Security Rule or that only require modest improvements to come into compliance. 24 Notably, if the parties have in place a business associate agreement that previously complied with HIPAA, OCR provides covered entities and their business associates a one-year grace period until September 22, 2014 to update their business associate agreements. 25 Moreover, covered entities are not required to obtain satisfactory assurances with a subcontractor-business associate; rather, the business associate must obtain these assurances. 26 Under the Privacy Rule, a business associate is directly liable for uses and 142 / Journal of the MISSOURI BAR disclosures of PHI that do not comply with its business associate agreement. 27 A business associate may also be liable for failing to enter into a business associate agreement with a subcontractor. 28 Failure to comply with the socalled minimum necessary provision of the Privacy Rule, which requires an entity to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose, may also result in liability. 29 Finally, failing to disclose PHI to the covered entity, the individual, or HHS when investigating a business associate s compliance with HIPAA may result in liability. 30 The Omnibus Rule also expands the duties of covered entities and their business associates under the Breach Notification Rule. 31 Business associates are required to report PHI breaches to the covered entities within 60 days of discovering a breach. 32 The rule imputes knowledge of a breach on any agents of the covered entity, which would include business associates if they act as agents. 33 Importantly, the Omnibus Rule broadens the definition of business associate. 34 Any entity that creates, receives, maintains, or transmits PHI is considered a business associate. 35 The rule also makes clear that entities that enter into contracts with business associates and that create, receive, maintain, or transmit PHI on behalf of business associates are themselves regulated as business associates. 36 In other words, subcontractors and vendors that do not have any direct relationship with a covered entity, but have an agreement with another business associate, are now considered business associates under HIPAA and are subject to the same requirements as the covered entity if they create, receive, maintain, or transmit the covered entity s PHI. 37 Covered entities, therefore, may be held liable under HIPAA for the actions of a subcontractor of a business associate with whom the covered entity has no direct relationship. 38 There is an important limitation, however, on a covered entity s liability for the actions of its business associates. The Omnibus Rule provides that a covered entity may be held liable for civil monetary penalties for an act or omission of any agent of the covered entity, including a business associate or subcontractor, acting within the scope of the agency. 39 Accordingly, covered entities can avoid liability for the actions of their business associates including business associate subcontractors and vendors by ensuring that an agency relationship does not exist, or, if agency exists, that the agent was not acting within the scope of [its] agency. 40 The Omnibus Rule provides only limited insight into when OCR will find that agency relationship exists and when an agent is acting within the scope of its agency. Attorneys representing covered entities and business associates largely will be left to their own devices to decipher federal common law of agency principles to figure out the effects of this provision. The next section discusses some of these relevant agency principles that OCR will likely use when it makes a determination as to whether an agency relationship exists. A. What is an Agent? In making its determination as to whether an agency relationship exists, OCR will look at the business associate agreement and the totality of the facts and circumstances surrounding the relationship; thus, there is no universal rule for determining agency. 41 To make matters more complicated, the Omnibus Rule does not define agent or scope of agency. 42 Instead, the rule explains that OCR will determine whether an agency relationship exists based on the federal common law of agency. 43 The Restatement (Third) of Agency,

4 to which many federal courts look for guidance on agency issues, defines an agent as someone who acts on the principal s behalf and subject to the principal s control. 44 This largely reflects the Omnibus Rule s definition of business associate as a person who performs functions or activities on behalf of, or certain activities for, a covered entity that involve the use or disclosure of PHI.45 Another issue is whether a business associate would be classified as an independent contractor or as an employee under federal common law.46 The definition of business associate expressly excludes a member of the workforce of such covered entity, defined as employees or other persons whose conduct is under the direct control of the covered entity (or business associate).47 While this might imply that employees are expressly excluded from the business associate definition, and thus that business associates should be treated as independent contractors for agency law purposes,48 the regulations do not expressly rule out the possibility that a business associate, under certain circumstances, might act as an employee of the covered entity for purposes of determining liability under HIPAA. The dichotomy between labeling a business associate as an independent contractor versus an employee seems less significant to OCR than analysis based on federal common law and the specific factors set forth in the Omnibus Rule.49 Specifically, the Omnibus Rule indicates that the right or authority of a covered entity to control the business associate s conduct in the course of performing a service is an essential factor in determining whether an agency relationship exists: [I]f the only avenue of control is for the covered entity to amend the terms of the agreement or sue for breach of contract, this generally indicates that a business associate is not acting as an agent. In contrast, a business associate generally would be an agent if it enters into a business associate agreement with a covered entity that granted the covered entity the authority to direct the performance of the service provided by its business associate after the relationship was established.50 Thus, a covered entity s ability to issue interim instructions or directions after entering into a business associate agreement is significant for determining agency.51 According to the Restatement (Third) of Agency, a principal becomes liable for the acts of an agent when the principal has a right to control physical details as to the manner of performance.52 A business associate generally would not be an agent of the May-June 2014 / 143

5 covered entity if the covered entity s control over the actions of its business associate is limited by the terms of the business associate agreement. The only way to direct the business associate is to amend the agreement or sue for breach of contract. 53 However, if a covered entity has the authority to instruct the business associate in the provision of services in other ways for example, if a business associate agreement provides that the business associate will make PHI available pursuant to an individual s right of access under 45 C.F.R as directed by the covered entity plan this would be evidence of an agency relationship. 54 As a general rule, if the only way a covered entity can control the actions of a business associate after signing a business associate agreement is to sue for breach of contract based on that agreement, an agency relationship is less likely to exist. 55 The Omnibus Rule invokes another principle of agency law that a person under a duty to protect another cannot avoid liability by delegating performance of the duty to another. 56 Therefore, under HIPAA, an agency relationship might exist when a covered entity contracts out or delegates a particular obligation under HIPAA to its business associate. 57 The policy behind this provision is to ensure that a covered entity or business associate would remain liable for penalties for the business associate agent failing to perform an obligation on behalf of the covered entity or business associate. Two U.S. Supreme Court cases are instructive for determining whether an agency relationship exists. In Community for Creative Non-Violence v. Reid 58 and Nationwide Mutual Insurance Co. v. Darden, 59 the Court set forth a list of 13 non-exhaustive factors to consider when determining agency: the hiring party s right to control the manner and means by which the product is accomplished; the skill 144 / Journal of the MISSOURI BAR required; the source of the instrumentalities and tools; the location of the work; the duration of the relationship between the parties; whether the hiring party has the right to assign additional projects to the hired party; the extent of the hired party s discretion over when and how long to work; the method of payment; the hired party s role in hiring and paying assistants; whether the work is part of the regular business of the hiring party; whether the hiring party is in business; and the provision of employee benefits. 60 With these factors in mind, consider the example of a covered entity hiring a company to run a call center that responds to customer service inquiries. The two entities enter into a business associate agreement. Because the covered entity has hired the company to perform a specific function, an agency relationship likely would not exist, assuming the business associate agreement limits the covered entity s authority to control the business associate s manner and means of performing its function. The employees of the business associate would be kept separate from those of the covered entity, and they would be hired by and paid by the business associate instead of by the covered entity. 61 Moreover, the covered entity is not in the business of operating call centers. 62 The same would likely be true for most document storage companies, another common example of a business associate. An agency relationship might arise in the call center example, however, if the circumstances were slightly different. OCR might be more likely to find an agency relationship if the call center s only client is the covered entity and was created for the sole purpose of serving the covered entity. Similarly, a business associate that provides temporary or time-limited services, such as computer repairs or IT upgrades, tends to work on site at the covered entity s place of work and work solely for the covered entity, which indicates that an agency relationship is more likely to exist. B. When Does an Agent Act Within the Scope of Its Agency? Even if an agency relationship exists, however, the business associate must have been acting within the scope of its agency for the covered entity to be liable for the business associate s actions (including those of subcontractors). 63 The HITECH Omnibus Rule sets forth four criteria based on federal common law for determining whether a business associate s activity occurred within the scope of its agency: (1) the time, place, and purpose of the conduct; (2) whether the covered entity (or business associate in a subcontractor relationship) had control over the course of the business associate s conduct; (3) whether the conduct is commonly performed by the business associate on behalf of the covered entity (or other business associate in a subcontractor relationship); and (4) whether the covered entity (or other business associate in a subcontractor relationship) reasonably expected that the business associate would engage in the conduct. 64 Ultimately, a business associate s conduct generally will be within the scope of its agency if it occurs during the performance of the assigned work or incident to such work, though even acts contrary to clear instructions of the covered entity can lead to liability of the covered entity. 65 The covered entity likely will not be liable, however, if the business associate s conduct was for its own benefit or too little actuated by the purposes of the covered entity. 66 Similarly, if an employee s tortious conduct is unrelated either to work assigned by the employer or to a course of conduct that is subject to the employer s control, the conduct is outside the scope of employment. 67 The conduct of an employee who undertakes a course

6 of work-related conduct for the sole purpose of furthering the employee s interests or those of a third party will often lie beyond the employer s effective control. 68 Returning to the call center example above, assume that the call center s only client was the covered entity and that it was created for the sole purpose of serving the business associate; therefore, an agency relationship exists. If an employee of the call center negligently leaves his computer logged in and an intruder manages to obtain PHI from the hard drive, the covered entity likely would be liable for the actions of the business associate employee even if the business associate agreement provided that the employees would be appropriately trained in IT security matters. The breach occurred during the performance of the employee s work pursuant to the call center s duties under the business associate agreement. 69 Moreover, the employee was not acting solely for the benefit of himself or a third party. Thus, the covered entity could be liable for the penalties associated with the breach. On the other hand, the actions of an employee who decides to sell PHI to a third party are likely beyond the scope of the business associate agreement and for the sole benefit of the employee. 70 As the Omnibus Rule points out, applying federal common law of agency requires a detailed facts and circumstances analysis that can easily lead to differing conclusions as to when an agency relationship exists. To make matters more complicated, lawyers familiar with state common law of agency in their home state should note that federal common law of agency could differ from some state common law with respect to when an agency relationship exists. There is also a question as to whether state law might be applicable if a state attorney general is involved as opposed to a federal official. While state common law of agency generally mirrors federal common law of agency, state agency law could differ from federal law in certain situations. For example, some states have statutes that limit a health care provider s liability to the actions or omissions of its employees and expressly exclude liability for agents. 71 Attorneys should be familiar with the peculiarities of their own state s laws of agency in such circumstances. C. Negotiating New Business Associate Agreements Covered entities should review their business associate agreements to ensure that a business associate would not be considered an agent of the covered entity in the first place. There are several provisions a covered entity could include in a business associate agreement to protect itself from liability. For example, the agreement should include disclaimers explaining that the covered entity maintains no control or authority over the business associate to provide interim instructions or directions with regard to how the business associate performs its functions pursuant to the agreement. The terms of the agreement should set forth the entirety of the relationship between the two entities and should indicate that the business associate may only act pursuant to the agreement. The agreement should also include an indemnification provision providing that the sole legal actions that the covered entity may initiate against the business associate are breach of contract claims. Similarly, the covered entity should include in the indemnification provisions disclaimers providing that the covered entity is not liable for any civil monetary penalties arising from a business associate s HIPAA violation occurring during the performance of or outside the scope of terms within the business associate agreement. Covered entities and business associates might also consider purchasing HIPAA liability insurance to pay for legal representation and penalties for issues arising under HIPAA, as general liability insurance does not cover data breaches and similar violations. 72 Many issues as to whether a business associate was acting within the scope of its agency with regard to a possible HIPAA violation can also be addressed in a contract between the business associate and covered entity. For example, covered entities and business associates could have a service agreement underlying their standard business associate agreement that sets forth the duties of the business associate. Whether in the business associate agreement or in an underlying service agreement, it is important for the covered entity to limit the duties of the business associate to those absolutely necessary for the business associate to perform its functions, thus limiting the covered entity s liability in the event of a HIPAA violation. This essentially limits the scope of agency. III. Unique Issues Facing Attorneys as Business Associates Attorneys who do not regularly practice in health care law may be surprised to find that using or accessing PHI in the course of representing a client can make them a business associate. 73 As business associates, attorneys, too, should amend or enter into new business associate agreements with their covered entity or business associate clients. Even though covered entities were already required to have business associate agreements with their attorneys before the Omnibus Rule, as the HITECH Act has empowered OCR to impose civil monetary penalties directly against business associates since February 2010, OCR has never pursued such actions May-June 2014 / 145

7 against business associate lawyers. 74 This could change, however, now that the provisions of the Omnibus Rule have gone into effect. Attorneys should pay close attention to certain provisions in the Privacy and Security Rules and the Breach Notification Rule. Additionally, attorneys should be cognizant of any professional responsibility issues that may arise when creating or amending their business associate agreements with clients. While a comprehensive discussion of all the changes the Omnibus Rule brings for attorney business associates is beyond the scope of this article, a summary of the more relevant changes is below, followed by a discussion of professional responsibility considerations when attorneys negotiate business associate agreements with clients. A. Privacy Rule Attorney business associates are required under the Omnibus Rule to comply with certain provisions of the Privacy Rule regarding uses and disclosures of PHI. 75 For example, attorneys must now make reasonable efforts to limit uses, disclosures, requests, and provisions of PHI to the minimum necessary to accomplish an intended purpose, such as defending a case. 76 This means that law firms should have in place policies and procedures to limit access to information containing PHI only to those who need the information to carry out their duties. Implementing such policies will require all employees who may reasonably come into contact with such documents containing PHI to have training on compliance with these HIPAA provisions, including any administrative staff. B. Breach Notification Rule As explained above, business associates have expanded responsibilities under the breach notification requirements of the Omnibus Rule. As business associates, lawyers and their law firms must now notify a covered entity within 60 days following the discovery of a breach of unsecured PHI. 77 Additionally, OCR now presumes any impermissible disclosure of PHI to be a breach, including violations of the minimum necessary standard, unless a law firm can demonstrate low probability that the information has been compromised. 78 When determining the probability that the information was compromised, OCR considers the nature and extent of the PHI involved, the report of the unauthorized person to whom the disclosure was made, any documentation of whether PHI was actually acquired or viewed, and assurances that the risk to PHI was been mitigated. 79 Law firms, therefore, should monitor and log information access for purposes of making this defense in the event of a breach. 80 C. Security Rule Law firm business associates must also comply with all provisions of the Security Rule as amended by the Omnibus Rule. Notable requirements for law firms include designating a security official, ensuring workforce compliance, and developing written policies and procedures to protect PHI. 81 Law firms should have in place safeguards such as: locking medical records when not in use; appropriately securing computers, servers, and networks that contain PHI from improper access; prohibiting access by improper parties, such as staff not working on the specific matter; password management; training; and encrypting data in storage or when transmitted over a non-secure network. D. Conflicts with Attorneys Professional Responsibilities Attorneys should be wary of any duties they have under their state s professional responsibility rules when negotiating contracts between themselves and covered entity (or business associate) clients. Many covered entities want all of their business associates, including law firms that represent them, to sign the same business associate agreement. Lawyers should resist signing a standard boilerplate business associate agreement, as lawyers have professional responsibility duties distinct from other vendors. The new requirements under the Omnibus Rule can create an uncomfortable dynamic between a client and his attorney, as they effectively become adverse parties for purposes of negotiating the terms of a business associate agreement and the allocation of risk for a security breach. One concern is whether attorney business associates must advise a client either existing or potential regarding the client s right to consult with independent counsel before signing the agreement. 82 One solution is to include a statement in the business associate agreement explaining that the parties acknowledge that the lawyer is not representing the client in connection with the negotiations of the terms of the business associate agreement, and that the client waives his right to have an independent counsel review the agreement. Such provisions should also be explained to the client. A lawyer is prohibited in general from using information relating to representation of a client to the client s disadvantage unless the client consents after consultation under Rule 1.8(b) of the Model Rules of Professional Conduct. Thus, lawyers should be careful when negotiating with clients the terms of a business associate agreement not to use information gained through representation of the client to the client s disadvantage. Attorneys should obtain client s consent after explaining the nature of the negotiations for the business associate agreement before the client signs the contract. 146 / Journal of the MISSOURI BAR

8 Other provisions in the HITECH Act, if followed literally, could result in breaches of the attorney-client privilege and work product. For example, the HITECH Act requires a business associate that becomes aware of a breach by its covered entity client to report the breach to HHS under certain circumstances. 83 HIPAA also requires that all business associate agreements include a provision stating that the business associate will allow HHS to review the business associate s records to ensure compliance with HIPAA. 84 Including such language in an agreement with a law firm without a relevant disclaimer could result in unintentionally waiving attorney-client privilege. Therefore, attorneys should not sign a business associate agreement without including a disclaimer clearly stating that the agreement does not waive the client s rights under the attorney-client privilege. 85 Many standard business associate agreements also contain indemnification provisions, some of which could potentially void an attorney s malpractice insurance coverage. 86 Rule 1.8(h) (1) forbids attorneys from making any agreement that prospectively limits the lawyer s liability to a client for malpractice unless the client is independently represented in making the agreement. 87 Attorneys should make clear in their business associate agreements that they are not waiving liability for legal malpractice. IV. Conclusion Given that even acts contrary to clear instructions of the covered entity can lead to liability for the covered entity, covered entities should avoid agency relationships with business associates whenever possible and include clear indemnification provisions when an agency relationship might exist. Covered entities and business associates should carefully review their business associate agreements both to ensure that they are compliant with Omnibus Rule amendments and to limit their liability to the extent possible with regard to agency principles. Unfortunately, until OCR pursues enforcement actions based on agency principles, many uncertainties regarding OCR s application of agency law will remain. Endnotes 1 James Hennelly is Manager of Health Policy and Reimbursement at Jeffrey J. Kimbell & Associates, a government affairs and health policy firm in Washington, D.C. that works exclusively on behalf of life sciences companies. He provides regulatory health policy support to biopharmaceutical and medical device manufacturers. Hennelly graduated cum laude from American University Washington College of Law and is a member of The Missouri Bar. 2 See HITECH Act [Omnibus Rule], 78 Fed. Reg (Jan. 25, 2013) (modifying certain provisions at 45 C.F.R. 160 and 164). 3 See 45 C.F.R (b). 4 See HIPAA Administrative Simplification Statute and Rules, U.S. Department of Health & Human Servs. (last visited April 10, 2014), available at ocr/privacy/hipaa/administrative/index.html. 5 See 42 U.S.C. 1395b-5 and 1395ddd. 6 See id. 7 See 45 C.F.R See 45 C.F.R See 45 C.F.R. 160 and 164, Subparts A and C C.F.R. 160, Subparts C, D, and E. 11 See id C.F.R See id. 14 See 45 C.F.R. 160 and C.F.R See Business Associates, U.S. Department of Health & Human Servs. (last updated Apr. 3, 2003), available at ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html. 17 See HITECH Act, 42 U.S.C. 300jj, et seq., 42 U.S.C et seq. 18 Id. 19 HITECH Act [Omnibus Rule], 78 Fed. Reg (Jan. 25, 2013) (codified at 45 C.F.R. 160 and 164). 20 Id. 21 See 45 C.F.R See 45 C.F.R , and See id. 24 See 45 C.F.R (a). STUDENT/FACULTY/PUBLIC EMPLOYEE DISMISSAL AND DISCIPLINARY CASES Public and Private School Cases Public Employee Due Process Claims Federal and State Court 25 Years Experience CLIFFORD A. COHEN Attorney at Law COHEN MCNEILE & PAPPAS P.C College Blvd., Suite 200 Leawood, Kansas (913) Fax: (913) ccohen@cmplaw.net Licensed in Missouri and Kansas May-June 2014 / 147

9 25 See 45 C.F.R (f). 26 See 45 C.F.R See 45 C.F.R (a). 28 See 45 C.F.R (b)(2) C.F.R (b) C.F.R (a)(4) C.F.R (a)(2). 32 Id. 33 See id. 34 See 45 C.F.R Id. 36 Id. 37 Id. 38 See 45 C.F.R (3)(iii). 39 See 45 C.F.R (c) (emphasis added). 40 See id. 41 HITECH Act, 78 Fed. Reg. at See 45 C.F.R (c)(2). 43 Id. 44 Restatement (Third) of Agency 1.01 (2006). 45 See 45 C.F.R (c). 46 See Restatement (Third) of Agency 7.07 (2006) (indicating the circumstances in which an employer is liable for the actions of his employee); see also Amy S. Leopard & Aaron Graham, Business Associates Under the New HITECH Omnibus Rule: Be Wary of Secret Agents, Bloomberg BNA Insights, Health Law Center (Mar. 11, 2013) (available only by subscription) C.F.R See, e.g., Amy S. Leopard & Aaron Graham, Business Associates Under the New HITECH Omnibus Rule: Be Wary of Secret Agents, Bloomberg BNA Insights, Health Law Center (Mar. 11, 2013) (explaining that the exclusion of a covered entity s workforce from the definition of business associate indicates that business associates are independent contractors rather than employees for agency law purposes). 49 See 45 C.F.R (c)(2) Fed. Reg. at See id. 52 See Restatement (Third) of Agency 7.07(3)(a) (2006) (providing that an employee is an agent whose principal controls or has the right to control the manner and means of the agent s performance of work ); see also id. 1.01, cmt. (f). 53 See HITECH Act, 78 Fed. Reg. at See id.; see also 45 C.F.R See HITECH Act, 78 Fed. Reg. at Restatement (Third) of Agency 7.06 (2006) 57 See id U.S. 730 (1989) U.S. 318 (1992). 60 Nationwide, 503 U.S. 318; Cmty. for Creative Non-Violence, 490 U.S See Nationwide, 503 U.S. 318 (explaining that the location of the work performed and the method of payment are relevant factors for determining whether an agency relationship exists). 62 See id. (indicating that whether the work was part of the regular business of the hiring party is a relevant factor for determining whether an agency relationship exists). 63 See HITECH Act, 78 Fed. Reg. at Id. 65 See id. at 5582; see also Restatement (Third) of Agency 7.07 cmt. (c) (2006) (explaining how [t]he fact that the employee performs the work carelessly does not take the employee s conduct outside the scope of employment, nor does the fact that the employee otherwise makes a mistake in performing the work. Likewise, conduct is not outside the scope of employment merely because an employee disregards the employer s instructions. ). 66 See id.; see also Restatement (Third) of Agency 8.02 (2006). 67 See Restatement (Third) of Agency 8.09 (2006). 68 See id See HITECH Act, 78 Fed. Reg. at 5581 (Jan. 25, 2013) (codified at 45 C.F.R. 160 and 164) (providing that a business associate s conduct generally [will be] within the scope of [its] agency if it occurs during the performance of the assigned work or incident to such work ). Id. at See Restatement (Third) of Agency 8.02 (2006). 71 See, e.g., (3), RSMo Supp ( No individual or entity whose liability is limited by the provisions of this chapter shall be liable to any plaintiff based on the actions or omissions of any other entity or person who is not an employee of such individual or entity whose liability is limited by the provisions of this chapter. ) (emphasis added). Section was held unconstitutional by Watts v. Lester E. Cox Medical Centers, 376 S.W.3d 633 (Mo. banc 2012). While this provision is traditionally applied to health care providers in personal injury matters, one could argue that it could have applied for purposes of determining agency in a HIPAA enforcement action if Missouri state law applied. 72 See Business Associates Who Act as Agents Create New Liability for Covered Entities, 10 Report on Patient Privacy 3 (Sept. 2010), available at articles/827/rpp0910.pdf. 73 See 45 C.F.R (1)(ii). 74 See Kathryn Hume & Patrick Archbold, 2013 HIPAA Omnibus Rules Increase Risks for Law Firms, Law Technology News (Apr. 11, 2013), available at jsp/lawtechnologynews/pubarticleltn. jsp?id= &2013_hipaa_omnibus_rules_increase_risks_for_law_ Firms&slreturn= (indicating that instead of penalizing law firms for lack of compliance with HIPAA, OCR has focused its regulatory efforts on health care providers and related health care organizations before the Omnibus Rule). 75 See 45 C.F.R See id. at (c) C.F.R (a)(2). 78 HITECH Act, 78 Fed. Reg. at Id. at See Hume & Archbold, supra note See 45 C.F.R and ; HITECH Act, 78 Fed. Reg. at 5694 (Jan. 25, 2013); see also Hume & Archbold, fn See Alan S. Goldberg, HIPAA, HITECH Act, Attorneys, and Business Associates: Professional Conduct Contracting Requirements Are Expanding Are You Ready Now?, American Health Lawyers Association (Mar. 2010), available at Events/Programs/Materials/Documents/ AM10/goldberg_hipaa_hitech_act.pdf U.S.C (e)(3); 45 C.F.R (a)(6)(ii). 84 See Sample Business Associate Agreement Provisions, U.S. Department of Health & Human Servs. (Jan. 25, 2013), available at 85 Whether the HIPAA requirements trump the attorney-client privilege is yet to be determined by the courts, though courts tend to favor upholding the attorney-client privilege when it conflicts with federal enforcement provisions in the healthcare field. See, e.g., United States ex rel. Fair Lab. Practices Assocs. v. Quest Diagnostics, Inc., 2011 WL , No. 05 Civ (RPP) (S.D. N.Y. Apr. 5, 2011) (disqualifying an attorney qui tam relator bringing a claim under the False Claims Act based on information protected by the attorney-client privilege). 86 See Jeff Drummond, Attorney Responsibilities Under HIPAA, Dallas Bar Ass n, available at attorney-responsibilities-under-hipaa (last visited May 10, 2013). 87 Model Rules of Prof l Conduct R. 1.8(h)(1). 148 / Journal of the MISSOURI BAR