How to Limit Your Liability Under the HITECH Act Omnibus Rule

How to Limit Your Liabi
the HITECH Act Omnib
BY JAMES J. HENNELLY1
James J. Hennelly
Jeffrey J. Kimbell & Associates
Washington, DC
The new requirements under the
Health Information Technology
for Economic and Clinical Health
Act of 2009 (HITECH) Omnibus
Rule greatly expand the reach of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).2
Covered entities under HIPAA now
can be held liable for the actions or
omissions not only of their business
associates, but also subcontractors
and vendors of those business associates.3 While most attorneys, especially
those who represent clients in the
healthcare industry, have at least a
basic understanding of HIPAA, many
are surprised to learn that attorneys
themselves can be considered business associates under HIPAA and now
have certain responsibilities to protect
individual health information under
the Omnibus Rule. Even though the
Department of Health & Human
Services (HHS) Office for Civil Rights
(OCR) has never brought an enforcement action against an attorney or law
firm, failure to comply with HIPAA
soon could result in civil monetary
penalties for noncompliant law firms.
This article first explains the expanded business associate provisions
of the Omnibus Rule, including how
covered entities’ liability for the acts
or omissions of their business associates is limited to their agents acting
within the scope of their agency.
Second, this article looks at relevant
federal common law of agency to
illustrate the types of circumstances
under which OCR is likely to con-
140 / Journal of the MISSOURI BAR
sider an agency relationship to exist
and to highlight some ambiguities
in this agency approach. Third, this
article discusses the unique problems
attorneys representing covered entities or business associates face under
the Omnibus Rule. For example, an
attorney’s interests when negotiating
his business associate agreement with
a client may conflict with her professional responsibilities as an attorney.
Finally, this article presents solutions
for covered entities and business associates and suggests ways to construct
business associate agreements so as to
avoid unanticipated liability under the
Omnibus Rule.
I. Background on HIPAA
Congress enacted HIPAA in 1996
to improve the efficiency and effectiveness of the U.S. health care system
and to protect the privacy of individually identifiable health information
in the wake of advances in health
information technology.4 Title II of
HIPAA, known as the Administrative
Simplification provisions, requires
providers, health insurance plans, and
employers to adopt federal privacy
protections for individually identifiable health information.5 HHS
subsequently published several key
regulations implementing the HIPAA
Administrative Simplification provisions.6 Issued in 2000, the Privacy
Rule sets national standards for the
protection of individually identifiable health information by three
types of covered entities: health plans,
health care clearinghouses, and health
bility Under
bus Rule
care providers who conduct health
care transactions electronically.7 The
Privacy Rule defines and limits the
circumstances in which an individual’s
protected health information (PHI)
may be used or disclosed by covered
entities.8 In 2003, HHS published
the Security Rule, which requires
covered entities to have appropriate
administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of
electronic PHI.9 Finally, the HIPAA
Enforcement Rule contains provisions
relating to compliance and investigations, the imposition of civil monetary
penalties for violations of the HIPAA
Administrative Simplification Rules,
and procedures for hearings.10 HHS
OCR is responsible for administering
and enforcing the Privacy and Security
Rules through investigations and the
imposition of civil monetary penalties.11
A. Covered Entities
As mentioned above, entities that
must comply with the requirements
under HIPAA are known as “covered
entities,” defined in the Administrative Simplification provisions as either
a health care provider that conducts
certain transactions in electronic form,
a health care clearinghouse, or a health
plan.12 For example, a health care
provider that electronically transmits
claims information directly or through
an intermediary to a health plan is a
covered entity under HIPAA.13 Covered entities are required to protect
the privacy and security of health
information and provide individuals certain rights with respect to their
PHI through compliance with the
HIPAA Security, Privacy, and Enforcement Rules.14
B. Business Associates
Many covered entities use the
services of a variety of other persons
or businesses, known as “business
associates” under HIPAA, to carry out
some of their health care activities and
functions. HIPAA permits a covered
entity to disclose PHI to a business
associate – and allows the business associate to create, receive, maintain, or
transmit PHI on behalf of the covered
entity – as long as the covered entity
and business associate have a written
business associate agreement.15 The
business associate agreement provides
covered entities satisfactory assurances
that the business associate will use the
relevant health information only for
purposes for which it was engaged
by the entity and will safeguard the
information from misuse.16 Before the
HITECH Act, typically only covered
entities – not their business associates
– were directly liable for violations
of the HIPAA Privacy and Security
Rules, assuming the parties had an
adequate business associate agreement.
II. The Omnibus Rule Ushers in
Sweeping Changes for HIPAA
Compliance for Business
Associates
Congress enacted the HITECH
Act in 2009 as part of an effort to
promote and expand the adoption
of health information technology.17
Among its more notable reforms were
the incentives it gave providers to
use electronic health records.18 On
January 17, 2013, HHS published its
May-June 2014 / 141
long-awaited final rule implementing the HITECH Act to expand the
reach of the HIPAA Privacy, Security,
Enforcement, and Breach Notification
Rules.19 Collectively, these regulations
are known as the Omnibus Rule.20
This section discusses the changes affecting the liability of covered entities
and business associates under HIPAA
and the circumstances under which
a covered entity may be liable for the
actions of its business associates.
Under the Omnibus Rule, the
HIPAA Privacy and Security Rules
now apply to all business associates
in the same way they previously did
to covered entities.21 This means that
business associates can now be held
directly liable for violating the HIPAA
Privacy and Security Rules and subject
to civil monetary penalties.22 While a
comprehensive discussion of the many
changes the Omnibus Rule brings for
business associates is beyond the scope
of this article, it is worth summarizing
the more relevant changes.
A business associate is now directly
liable for violating any of the administrative, physical, and technical
requirements of the Security Rule.23
Business associates and subcontractors of business associates should
already have in place security practices
that either comply with the HIPAA
Security Rule or that only require
modest improvements to come into
compliance.24 Notably, if the parties have in place a business associate
agreement that previously complied
with HIPAA, OCR provides covered
entities and their business associates a
one-year grace period – until September 22, 2014 – to update their business associate agreements.25 Moreover,
covered entities are not required to
obtain “satisfactory assurances” with
a subcontractor-business associate;
rather, the business associate must
obtain these assurances.26
Under the Privacy Rule, a business
associate is directly liable for uses and
142 / Journal of the MISSOURI BAR
disclosures of PHI that do not comply
with its business associate agreement.27
A business associate may also be liable
for failing to enter into a business associate agreement with a subcontractor.28 Failure to comply with the socalled “minimum necessary” provision
of the Privacy Rule, which requires an
entity to make reasonable efforts to
limit PHI to the minimum necessary
to accomplish the intended purpose,
may also result in liability.29 Finally,
failing to disclose PHI to the covered
entity, the individual, or HHS when
investigating a business associate’s
compliance with HIPAA may result in
liability.30
The Omnibus Rule also expands
the duties of covered entities and
their business associates under the
Breach Notification Rule.31 Business
associates are required to report PHI
breaches to the covered entities within
60 days of discovering a breach.32 The
rule imputes knowledge of a breach
on any agents of the covered entity,
which would include business associates if they act as agents.33
Importantly, the Omnibus Rule
broadens the definition of “business
associate.”34 Any entity that “creates,
receives, maintains, or transmits” PHI
is considered a “business associate.”35
The rule also makes clear that entities
that enter into contracts with business associates and that create, receive,
maintain, or transmit PHI on behalf
of business associates are themselves
regulated as business associates.36
In other words, subcontractors and
vendors that do not have any direct
relationship with a covered entity,
but have an agreement with another
business associate, are now considered
business associates under HIPAA
and are subject to the same requirements as the covered entity if they
create, receive, maintain, or transmit
the covered entity’s PHI.37 Covered
entities, therefore, may be held liable
under HIPAA for the actions of a sub-
contractor of a business associate with
whom the covered entity has no direct
relationship.38
There is an important limitation,
however, on a covered entity’s liability
for the actions of its business associates. The Omnibus Rule provides that
a covered entity may be held liable for
civil monetary penalties for an “act or
omission of any agent of the covered
entity, including a” business associate or subcontractor, “acting within
the scope of the agency.”39 Accordingly,
covered entities can avoid liability for
the actions of their business associates – including business associate
subcontractors and vendors – by
ensuring that an agency relationship
does not exist, or, if agency exists, that
the agent was not acting “within the
scope of [its] agency.”40 The Omnibus
Rule provides only limited insight into
when OCR will find that agency relationship exists and when an agent is
acting within the scope of its agency.
Attorneys representing covered entities
and business associates largely will be
left to their own devices to decipher
federal common law of agency principles to figure out the effects of this
provision. The next section discusses
some of these relevant agency principles that OCR will likely use when it
makes a determination as to whether
an agency relationship exists.
A. What is an “Agent?”
In making its determination as
to whether an agency relationship
exists, OCR will look at the business
associate agreement and the totality of the facts and circumstances
surrounding the relationship; thus,
there is no universal rule for determining agency.41 To make matters
more complicated, the Omnibus Rule
does not define “agent” or “scope of
agency.”42 Instead, the rule explains
that OCR will determine whether an
agency relationship exists based on the
federal common law of agency.43 The
Restatement (Third) of Agency,
to which many federal courts look for
guidance on agency issues, defines an
agent as someone who acts “on the
principal’s behalf ” and “subject to
the principal’s control.”44 This largely
reflects the Omnibus Rule’s definition
of “business associate” as a person who
performs functions or activities “on
behalf of, or certain activities for, a
covered entity” that involve the use or
disclosure of PHI.45
Another issue is whether a business associate would be classified as
an “independent contractor” or as
an “employee” under federal common law.46 The definition of “business associate” expressly excludes “a
member of the workforce of such
covered entity,” defined as employees
or other persons whose conduct is
under the direct control of the covered
entity (or business associate).47 While
this might imply that employees are
expressly excluded from the “business
associate” definition, and thus that
business associates should be treated
as independent contractors for agency
law purposes,48 the regulations do not
expressly rule out the possibility that
a business associate, under certain circumstances, might act as an “employee” of the covered entity for purposes
of determining liability under HIPAA.
The dichotomy between labeling a
business associate as an independent
contractor versus an employee seems
less significant to OCR than analysis
based on federal common law and the
specific factors set forth in the Omnibus Rule.49
Specifically, the Omnibus Rule indicates that the right or authority of a
covered entity to control the business
associate’s conduct in the course of
performing a service is an essential factor in determining whether an agency
relationship exists:
[I]f the only avenue of control
is for the covered entity to
amend the terms of the agreement or sue for breach of
contract, this generally indicates that a business associate
is not acting as an agent. In
contrast, a business associate
generally would be an agent
if it enters into a business
associate agreement with a
covered entity that granted
the covered entity the authority to direct the performance
of the service provided by its
business associate after the
relationship was established.50
Thus, a covered entity’s ability to issue interim instructions or directions
after entering into a business associate
agreement is significant for determining agency.51
According to the Restatement
(Third) of Agency, a principal
becomes liable for the acts of an agent
when the principal has a right to control physical details as to the manner
of performance.52 A business associate
generally would not be an agent of the
May-June 2014 / 143
covered entity if the covered entity’s
control over the actions of its business associate is limited by the terms
of the business associate agreement.
The only way to direct the business
associate is to amend the agreement or
sue for breach of contract.53 However,
if a covered entity has the authority
to instruct the business associate in
the provision of services in other ways
– for example, if a business associate
agreement provides that the business
associate will make PHI available
pursuant to an individual’s right of
access under 45 C.F.R. § 164.524 as
directed by the covered entity plan –
this would be evidence of an agency
relationship.54 As a general rule, if the
only way a covered entity can control
the actions of a business associate after
signing a business associate agreement
is to sue for breach of contract based
on that agreement, an agency relationship is less likely to exist.55
The Omnibus Rule invokes another
principle of agency law – that a person under a duty to protect another
cannot avoid liability by delegating
performance of the duty to another.56
Therefore, under HIPAA, an agency
relationship might exist when a covered entity contracts out or delegates
a particular obligation under HIPAA
to its business associate.57 The policy
behind this provision is to ensure that
a covered entity or business associate
would remain liable for penalties for
the business associate agent failing to
perform an obligation on behalf of the
covered entity or business associate.
Two U.S. Supreme Court cases are
instructive for determining whether
an agency relationship exists. In
Community for Creative Non-Violence
v. Reid58 and Nationwide Mutual
Insurance Co. v. Darden,59 the Court
set forth a list of 13 non-exhaustive
factors to consider when determining
agency: the hiring party’s right to control the manner and means by which
the product is accomplished; the skill
144 / Journal of the MISSOURI BAR
required; the source of the instrumentalities and tools; the location of the
work; the duration of the relationship
between the parties; whether the hiring party has the right to assign additional projects to the hired party; the
extent of the hired party’s discretion
over when and how long to work; the
method of payment; the hired party’s
role in hiring and paying assistants;
whether the work is part of the regular
business of the hiring party; whether
the hiring party is in business; and the
provision of employee benefits.60
entity’s place of work and work solely
for the covered entity, which indicates
that an agency relationship is more
likely to exist.
With these factors in mind, consider the example of a covered entity
hiring a company to run a call center
that responds to customer service
inquiries. The two entities enter into a
business associate agreement. Because
the covered entity has hired the company to perform a specific function, an
agency relationship likely would not
exist, assuming the business associate
agreement limits the covered entity’s
authority to control the business associate’s manner and means of performing its function. The employees of
the business associate would be kept
separate from those of the covered
entity, and they would be hired by and
paid by the business associate instead
of by the covered entity.61 Moreover,
the covered entity is not in the business of operating call centers.62 The
same would likely be true for most
document storage companies, another
common example of a business associate.
B. When Does an Agent Act
Within the Scope of Its Agency?
Even if an agency relationship exists, however, the business associate
must have been acting within the scope
of its agency for the covered entity to
be liable for the business associate’s actions (including those of subcontractors).63 The HITECH Omnibus Rule
sets forth four criteria based on federal
common law for determining whether
a business associate’s activity occurred
within the scope of its agency: (1) the
time, place, and purpose of the conduct; (2) whether the covered entity
(or business associate in a subcontractor relationship) had control over
the course of the business associate’s
conduct; (3) whether the conduct is
commonly performed by the business associate on behalf of the covered
entity (or other business associate in
a subcontractor relationship); and (4)
whether the covered entity (or other
business associate in a subcontractor
relationship) reasonably expected that
the business associate would engage in
the conduct.64 Ultimately, a business
associate’s conduct generally will be
within the scope of its agency if it occurs during the performance of the assigned work or incident to such work,
though even acts “contrary to clear
instructions of the covered entity” can
lead to liability of the covered entity.65
An agency relationship might arise
in the call center example, however,
if the circumstances were slightly different. OCR might be more likely to
find an agency relationship if the call
center’s only client is the covered entity and was created for the sole purpose
of serving the covered entity. Similarly,
a business associate that provides temporary or time-limited services, such
as computer repairs or IT upgrades,
tends to work on site at the covered
The covered entity likely will not be
liable, however, if the business associate’s conduct was for its own benefit
or too little actuated by the purposes
of the covered entity.66 Similarly, if an
employee’s tortious conduct is unrelated either to work assigned by the
employer or to a course of conduct
that is subject to the employer’s control, the conduct is outside the scope
of employment.67 The conduct of an
employee who undertakes a course
of work-related conduct for the sole
purpose of furthering the employee’s
interests or those of a third party will
often lie beyond the employer’s effective control.68
Returning to the call center example above, assume that the call
center’s only client was the covered
entity and that it was created for the
sole purpose of serving the business associate; therefore, an agency
relationship exists. If an employee of
the call center negligently leaves his
computer logged in and an intruder
manages to obtain PHI from the hard
drive, the covered entity likely would
be liable for the actions of the business
associate employee even if the business associate agreement provided that
the employees would be appropriately
trained in IT security matters. The
breach occurred during the performance of the employee’s work pursuant to the call center’s duties under
the business associate agreement.69
Moreover, the employee was not acting solely for the benefit of himself or
a third party. Thus, the covered entity
could be liable for the penalties associated with the breach. On the other
hand, the actions of an employee who
decides to sell PHI to a third party are
likely beyond the scope of the business
associate agreement and for the sole
benefit of the employee.70
As the Omnibus Rule points out,
applying federal common law of
agency requires a detailed facts and
circumstances analysis that can easily
lead to differing conclusions as to
when an agency relationship exists.
To make matters more complicated,
lawyers familiar with state common
law of agency in their home state
should note that federal common law
of agency could differ from some state
common law with respect to when
an agency relationship exists. There is
also a question as to whether state law
might be applicable if a state attorney
general is involved as opposed to a
federal official. While state common
law of agency generally mirrors federal
common law of agency, state agency
law could differ from federal law in
certain situations. For example, some
states have statutes that limit a health
care provider’s liability to the actions
or omissions of its employees and
expressly exclude liability for agents.71
Attorneys should be familiar with the
peculiarities of their own state’s laws
of agency in such circumstances.
C. Negotiating New Business
Associate Agreements
Covered entities should review
their business associate agreements
to ensure that a business associate
would not be considered an agent of
the covered entity in the first place.
There are several provisions a covered
entity could include in a business
associate agreement to protect itself
from liability. For example, the
agreement should include disclaimers
explaining that the covered entity
maintains no control or authority
over the business associate to provide
interim instructions or directions
with regard to how the business
associate performs its functions
pursuant to the agreement. The terms
of the agreement should set forth the
entirety of the relationship between
the two entities and should indicate
that the business associate may only
act pursuant to the agreement.
The agreement should also
include an indemnification provision
providing that the sole legal actions
that the covered entity may initiate
against the business associate are
breach of contract claims. Similarly,
the covered entity should include
in the indemnification provisions
disclaimers providing that the covered
entity is not liable for any civil
monetary penalties arising from a
business associate’s HIPAA violation
occurring during the performance
of – or outside the scope of –
terms within the business associate
agreement. Covered entities and
business associates might also consider
purchasing HIPAA liability insurance
to pay for legal representation and
penalties for issues arising under
HIPAA, as general liability insurance
does not cover data breaches and
similar violations.72
Many issues as to whether a
business associate was acting within
the scope of its agency with regard to
a possible HIPAA violation can also
be addressed in a contract between
the business associate and covered
entity. For example, covered entities
and business associates could have a
service agreement underlying their
standard business associate agreement
that sets forth the duties of the
business associate. Whether in the
business associate agreement or in
an underlying service agreement, it
is important for the covered entity
to limit the duties of the business
associate to those absolutely necessary
for the business associate to perform
its functions, thus limiting the covered
entity’s liability in the event of a
HIPAA violation. This essentially
limits the scope of agency.
III. Unique Issues Facing Attorneys
as Business Associates
Attorneys who do not regularly
practice in health care law may
be surprised to find that using or
accessing PHI in the course of
representing a client can make them
a business associate.73 As business
associates, attorneys, too, should
amend or enter into new business
associate agreements with their
covered entity or business associate
clients. Even though covered entities
were already required to have business
associate agreements with their
attorneys before the Omnibus Rule,
as the HITECH Act has empowered
OCR to impose civil monetary
penalties directly against business
associates since February 2010,
OCR has never pursued such actions
May-June 2014 / 145
against business associate lawyers.74
This could change, however, now
that the provisions of the Omnibus
Rule have gone into effect. Attorneys
should pay close attention to certain
provisions in the Privacy and Security
Rules and the Breach Notification
Rule. Additionally, attorneys should
be cognizant of any professional
responsibility issues that may arise
when creating or amending their
business associate agreements with
clients. While a comprehensive
discussion of all the changes the
Omnibus Rule brings for attorney
business associates is beyond the scope
of this article, a summary of the more
relevant changes is below, followed
by a discussion of professional
responsibility considerations when
attorneys negotiate business associate
agreements with clients.
A. Privacy Rule
Attorney business associates are
required under the Omnibus Rule
to comply with certain provisions of
the Privacy Rule regarding uses and
disclosures of PHI.75 For example,
attorneys must now make reasonable efforts to limit uses, disclosures,
requests, and provisions of PHI to the
minimum necessary to accomplish an
intended purpose, such as defending
a case.76 This means that law firms
should have in place policies and
procedures to limit access to information containing PHI only to those
who need the information to carry
out their duties. Implementing such
policies will require all employees who
may reasonably come into contact
with such documents containing PHI
to have training on compliance with
these HIPAA provisions, including
any administrative staff.
B. Breach Notification Rule
As explained above, business associates have expanded responsibilities
under the breach notification requirements of the Omnibus Rule. As business associates, lawyers and their law
146 / Journal of the MISSOURI BAR
firms must now notify a covered entity
within 60 days following the discovery of a breach of unsecured PHI.77
Additionally, OCR now presumes any
impermissible disclosure of PHI to be
a breach, including violations of the
minimum necessary standard, unless a
law firm can demonstrate “low probability” that the information has been
compromised.78 When determining
the probability that the information
was compromised, OCR considers
the nature and extent of the PHI
involved, the report of the unauthorized person to whom the disclosure
was made, any documentation of
whether PHI was actually acquired or
viewed, and assurances that the risk
to PHI was been mitigated.79 Law
firms, therefore, should monitor and
log information access for purposes of
making this defense in the event of a
breach.80
C. Security Rule
Law firm business associates must
also comply with all provisions of the
Security Rule as amended by the Omnibus Rule. Notable requirements for
law firms include designating a security official, ensuring workforce compliance, and developing written policies
and procedures to protect PHI.81 Law
firms should have in place safeguards
such as: locking medical records when
not in use; appropriately securing
computers, servers, and networks
that contain PHI from improper access; prohibiting access by improper
parties, such as staff not working on
the specific matter; password management; training; and encrypting data
in storage or when transmitted over a
non-secure network.
D. Conflicts with Attorneys’
Professional Responsibilities
Attorneys should be wary of
any duties they have under their
state’s professional responsibility
rules when negotiating contracts
between themselves and covered
entity (or business associate) clients.
Many covered entities want all of
their business associates, including
law firms that represent them, to
sign the same business associate
agreement. Lawyers should resist
signing a standard boilerplate business
associate agreement, as lawyers have
professional responsibility duties
distinct from other vendors.
The new requirements under
the Omnibus Rule can create an
uncomfortable dynamic between
a client and his attorney, as they
effectively become adverse parties for
purposes of negotiating the terms of
a business associate agreement and
the allocation of risk for a security
breach. One concern is whether
attorney business associates must
advise a client – either existing or
potential – regarding the client’s right
to consult with independent counsel
before signing the agreement.82
One solution is to include a
statement in the business associate
agreement explaining that the parties
acknowledge that the lawyer is not
representing the client in connection
with the negotiations of the terms of
the business associate agreement, and
that the client waives his right to have
an independent counsel review the
agreement. Such provisions should
also be explained to the client.
A lawyer is prohibited in general
from using information relating
to representation of a client to the
client’s disadvantage – unless the
client consents after consultation
– under Rule 1.8(b) of the Model
Rules of Professional Conduct. Thus,
lawyers should be careful when
negotiating with clients the terms of
a business associate agreement not
to use information gained through
representation of the client to the
client’s disadvantage. Attorneys should
obtain client’s consent after explaining
the nature of the negotiations for the
business associate agreement before
the client signs the contract.
Other provisions in the HITECH
Act, if followed literally, could result
in breaches of the attorney-client
privilege and work product. For
example, the HITECH Act requires a
business associate that becomes aware
of a breach by its covered entity client
to report the breach to HHS under
certain circumstances.83 HIPAA also
requires that all business associate
agreements include a provision stating
that the business associate will allow
HHS to review the business associate’s
records to ensure compliance with
HIPAA.84 Including such language
in an agreement with a law firm
without a relevant disclaimer could
result in unintentionally waiving
attorney-client privilege. Therefore,
attorneys should not sign a business
associate agreement without including
a disclaimer clearly stating that the
agreement does not waive the client’s
rights under the attorney-client
privilege.85
Many standard business
associate agreements also contain
indemnification provisions,
some of which could potentially
void an attorney’s malpractice
insurance coverage.86 Rule 1.8(h)
(1) forbids attorneys from making
any agreement that prospectively
limits the lawyer’s liability to a client
for malpractice unless the client is
independently represented in making
the agreement.87 Attorneys should
make clear in their business associate
agreements that they are not waiving
liability for legal malpractice.
IV. Conclusion
Given that even acts contrary to
clear instructions of the covered entity
can lead to liability for the covered
entity, covered entities should avoid
agency relationships with business associates whenever possible and include
clear indemnification provisions when
an agency relationship might exist.
Covered entities and business associates should carefully review their
business associate agreements both to
ensure that they are compliant with
Omnibus Rule amendments and to
limit their liability to the extent possible with regard to agency principles.
Unfortunately, until OCR pursues
enforcement actions based on agency
principles, many uncertainties regarding OCR’s application of agency law
will remain.
Endnotes
1 James Hennelly is Manager of Health
Policy and Reimbursement at Jeffrey J. Kimbell
& Associates, a government affairs and health
policy firm in Washington, D.C. that works
exclusively on behalf of life sciences companies. He provides regulatory health policy sup-
port to biopharmaceutical and medical device
manufacturers. Hennelly graduated cum laude
from American University Washington College
of Law and is a member of The Missouri Bar.
2 See HITECH Act [Omnibus Rule], 78
Fed. Reg. 5566 (Jan. 25, 2013) (modifying
certain provisions at 45 C.F.R. §§ 160 and
164).
3 See 45 C.F.R. 164.308(b).
4 See HIPAA Administrative Simplification Statute and Rules, U.S. Department of
Health & Human Servs. (last visited April
10, 2014), available at http://www.hhs.gov/
ocr/privacy/hipaa/administrative/index.html.
5 See 42 U.S.C. §§ 1395b-5 and 1395ddd.
6 See id.
7 See 45 C.F.R. § 160.
8 See 45 C.F.R. § 160.103.
9 See 45 C.F.R. § 160 and §164, Subparts
A and C.
10 45 C.F.R. § 160, Subparts C, D, and E.
11 See id.
12 45 C.F.R. § 160.103.
13 See id.
14 See 45 C.F.R. §§ 160 and 164.
15 45 C.F.R. § 160.103.
16 See Business Associates, U.S. Department
of Health & Human Servs. (last updated
Apr. 3, 2003), available at http://www.hhs.gov/
ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html.
17 See HITECH Act, 42 U.S.C. §§ 300jj, et
seq., 42 U.S.C. §§17901 et seq.
18 Id.
19 HITECH Act [Omnibus Rule], 78 Fed.
Reg. 5566 (Jan. 25, 2013) (codified at 45
C.F.R. §§ 160 and 164).
20 Id.
21 See 45 C.F.R. § 164.302.
22 See 45 C.F.R. §§ 164.306, 164.308 and
164.310.
23 See id.
24 See 45 C.F.R. § 164.314(a).
COHEN MCNEILE & PAPPAS P.C.
4601 College Blvd., Suite 200
Leawood, Kansas 66211
(913) 491-4050
Fax: (913) 491-3059
e-mail: ccohen@cmplaw.net
Licensed in Missouri and Kansas
STUDENT/FACULTY/PUBLIC
EMPLOYEE DISMISSAL AND
DISCIPLINARY CASES
Public and Private School Cases
Public Employee
Due Process Claims
Federal and State Court
25 Years Experience
www.studentrightslawyer.com
CLIFFORD A. COHEN
Attorney at Law
May-June 2014 / 147
25 See 45 C.F.R. § 164.532(f ).
26 See 45 C.F.R. § 164.308.
27 See 45 C.F.R. § 164.500(a).
28 See 45 C.F.R. § 164.308(b)(2).
29 45 C.F.R. § 164.502(b).
30 45 C.F.R. § 164.502(a)(4).
31 45 C.F.R. § 164.410(a)(2).
32 Id.
33 See id.
34 See 45 C.F.R. § 160.103.
35 Id.
36 Id.
37 Id.
38 See 45 C.F.R. § 160.103(3)(iii).
39 See 45 C.F.R. § 160.402(c) (emphasis
added).
40 See id.
41 HITECH Act, 78 Fed. Reg. at 5581
(Jan. 25, 2013).
42 See 45 C.F.R. § 160.402(c)(2).
43 Id.
44 Restatement (Third) of Agency
§ 1.01 (2006).
45 See 45 C.F.R. § 160.402(c).
46 See Restatement (Third) of Agency
§ 7.07 (2006) (indicating the circumstances
in which an employer is liable for the actions
of his employee); see also Amy S. Leopard &
Aaron Graham, Business Associates Under the
New HITECH Omnibus Rule: Be Wary of Secret
Agents, Bloomberg BNA Insights, Health
Law Center (Mar. 11, 2013) (available only
by subscription).
47 45 C.F.R. § 160.103.
48 See, e.g., Amy S. Leopard & Aaron
Graham, Business Associates Under the New
HITECH Omnibus Rule: Be Wary of Secret
Agents, Bloomberg BNA Insights, Health
Law Center (Mar. 11, 2013) (explaining that
the exclusion of a covered entity’s “workforce”
from the definition of “business associate” indicates that business associates are independent
contractors rather than employees for agency
law purposes).
49 See 45 C.F.R. § 160.402(c)(2).
50 78 Fed. Reg. at 5581 (Jan. 25, 2013).
51 See id.
52 See Restatement (Third) of Agency
§ 7.07(3)(a) (2006) (providing that “an employee is an agent whose principal controls or
has the right to control the manner and means
of the agent’s performance of work”); see also
id. § 1.01, cmt. (f ).
53 See HITECH Act, 78 Fed. Reg. at 5581
(Jan. 25, 2013).
54 See id.; see also 45 C.F.R. § 164.524.
55 See HITECH Act, 78 Fed. Reg. at 5581
(Jan. 25, 2013).
56 Restatement (Third) of Agency
§ 7.06 (2006)
57 See id.
148 / Journal of the MISSOURI BAR
58 490 U.S. 730 (1989).
59 503 U.S. 318 (1992).
60 Nationwide, 503 U.S. 318; Cmty. for
Creative Non-Violence, 490 U.S. 730.
61 See Nationwide, 503 U.S. 318 (explaining that the location of the work performed
and the method of payment are relevant factors
for determining whether an agency relationship exists).
62 See id. (indicating that whether the work
was part of the regular business of the hiring
party is a relevant factor for determining
whether an agency relationship exists).
63 See HITECH Act, 78 Fed. Reg. at 5581
(Jan. 25, 2013).
64 Id.
65 See id. at 5582; see also Restatement
(Third) of Agency § 7.07 cmt. (c) (2006)
(explaining how “[t]he fact that the employee
performs the work carelessly does not take the
employee’s conduct outside the scope of employment, nor does the fact that the employee
otherwise makes a mistake in performing the
work. Likewise, conduct is not outside the
scope of employment merely because an employee disregards the employer’s instructions.”).
66 See id.; see also Restatement (Third) of
Agency § 8.02 (2006).
67 See Restatement (Third) of Agency
§ 8.09 (2006).
68 See id. § 8.02.
69 See HITECH Act, 78 Fed. Reg. at 5581
(Jan. 25, 2013) (codified at 45 C.F.R. §§ 160
and 164) (providing that a business associate’s
“conduct generally [will be] within the scope
of [its] agency” if it “occurs during the performance of the assigned work or incident to such
work”). Id. at 5582.
70 See Restatement (Third) of Agency
§ 8.02 (2006).
71 See, e.g., § 538.210(3), RSMo Supp.
2013 (“No individual or entity whose liability
is limited by the provisions of this chapter shall
be liable to any plaintiff based on the actions
or omissions of any other entity or person who
is not an employee of such individual or entity
whose liability is limited by the provisions
of this chapter.”) (emphasis added). Section
538.210 was held unconstitutional by Watts
v. Lester E. Cox Medical Centers, 376 S.W.3d
633 (Mo. banc 2012). While this provision is
traditionally applied to health care providers in
personal injury matters, one could argue that
it could have applied for purposes of determining agency in a HIPAA enforcement action if
Missouri state law applied.
72 See Business Associates Who Act as “Agents”
Create New Liability for Covered Entities, 10
Report on Patient Privacy 3 (Sept. 2010),
available at http://www.hallrender.com/library/
articles/827/rpp0910.pdf.
73 See 45 C.F.R. § 161.103(1)(ii).
74 See Kathryn Hume & Patrick Archbold,
2013 HIPAA Omnibus Rules Increase Risks for
Law Firms, Law Technology News (Apr.
11, 2013), available at http://www.law.com/
jsp/lawtechnologynews/PubArticleLTN.
jsp?id=1202595169766&2013_HIPAA_Omnibus_Rules_Increase_Risks_for_Law_
Firms&slreturn=20130411170659 (indicating
that instead of penalizing law firms for lack of
compliance with HIPAA, OCR has focused
its regulatory efforts on health care providers
and related health care organizations before the
Omnibus Rule).
75 See 45 C.F.R. § 160.310.
76 See id. at § 160.310(c).
77 45 C.F.R. § 164.410(a)(2).
78 HITECH Act, 78 Fed. Reg. at 5641
(Jan. 25, 2013).
79 Id. at 5695.
80 See Hume & Archbold, supra note 74.
81 See 45 C.F.R. §§ 164.308 and 164.316;
HITECH Act, 78 Fed. Reg. at 5694 (Jan. 25,
2013); see also Hume & Archbold, fn. 74.
82 See Alan S. Goldberg, HIPAA, HITECH
Act, Attorneys, and Business Associates: Professional Conduct Contracting Requirements Are
Expanding – Are You Ready Now?, American
Health Lawyers Association (Mar. 2010),
available at http://www.healthlawyers.org/
Events/Programs/Materials/Documents/
AM10/goldberg_hipaa_hitech_act.pdf.
83 42 U.S.C. § 17932(e)(3); 45 C.F.R.
§ 164.308(a)(6)(ii).
84 See Sample Business Associate Agreement
Provisions, U.S. Department of Health &
Human Servs. (Jan. 25, 2013), available at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
85 Whether the HIPAA requirements
trump the attorney-client privilege is yet to be
determined by the courts, though courts tend
to favor upholding the attorney-client privilege
when it conflicts with federal enforcement
provisions in the healthcare field. See, e.g.,
United States ex rel. Fair Lab. Practices Assocs.
v. Quest Diagnostics, Inc., 2011 WL 1330542,
No. 05 Civ. 5393 (RPP) (S.D. N.Y. Apr. 5,
2011) (disqualifying an attorney qui tam relator bringing a claim under the False Claims
Act based on information protected by the
attorney-client privilege).
86 See Jeff Drummond, Attorney Responsibilities Under HIPAA, Dallas Bar Ass’n,
available at http://www.dallasbar.org/content/
attorney-responsibilities-under-hipaa (last
visited May 10, 2013).
87 Model Rules of Prof ’l Conduct R.
1.8(h)(1).