[ Thursday, March 25, 2004 ]
Can non-covered entities be held liable for a HIPAA violation?
My initial reaction has always been no; HIPAA specifically applies only to certain entities. All of the provisions of HIPAA state what “covered entities” can or can’t do. In fact, covered entities (or “CE’s”) specifically include only health plans, most providers, and health care clearinghouses.
It’s always been my understanding that penal statutes are strictly construed, so since HIPAA only applies to CE’s, others, such as business associates (or “BA’s”) can’t be prosecuted for HIPAA violations. If you’re not a CE, you can’t, by definition, violate HIPAA. If you’re a BA, you should have entered into a business associate agreement (or “BAA”) with the CE that gave you the PHI, and if you improperly use or disclose the PHI, you would be subject to a lawsuit by the CE for breaching the BAA. But you wouldn’t be subject to prosecution for a HIPAA violation, since you didn’t violate HIPAA (you couldn’t, since it’s not applicable to you).
But I’ve been having some fairly intense conversations with some folks who know a whole lot more about federal law enforcement (especially healthcare fraud enforcement) than I do, and that dichotomy starts to fall apart.
First, obviously, you can’t avoid a federal law by getting someone else to carry your water. This is a basic principal agent issue. A CE can’t just get another entity to use or disclose PHI in a manner prohibited to the CE; the CE would still be guilty, even though it didn’t actually do the use or disclosure, since the acts of the agent are treated by the law as the acts of the principal.
But there’s more to it than that. Title 18, Section 2 of the US Code applies federal laws to agents. Basically, if a person commits an act while acting as agent of another party and the other party is legally prohibited from committing the act, the person is guilty. Here, the BA, as agent, does something in connection with the BA’s relationship with the CE, and the BA can be made to pay, even though the BA isn’t specifically subject to law. According to my sources, the BA isn’t subject to every law the CE is, but it is subject to those laws that relate to the relationship with the CE that’s the basis of the agency.
What if the CE doesn’t even know about it? The CE didn’t direct it; and only the CE is covered by HIPAA. Can the BA be held liable? I’m told yes. But isn’t this analogous to my driving my daughter to the mall? She can’t drive a car, but if I drive her to the mall, I’m driving a car for her; it’s illegal for her to drive a car but not illegal for me to do so. But since I’m acting as her agent, can’t I be found guilty for violating the law that’s only applicable to her?
No, says my law enforcement expert, since I’m acting as her agent taking her to the mall, not as her agent driving a car. She has the authority to authorize me to drive her to the mall, but not the legal authority to authorize me to drive a car. Similarly, a CE has the authority to authorize its BA to disclose info in a HIPAA compliant fashion, but only if the BA enters into a BAA. The CE doesn’t have the legal authority to authorize the BA to disclose in a HIPAA-violating fashion.
Additionally, because of the BAA, any breach by the BA would be a breach of trust with the CE as well. I know that this would be useful in a claim by the CE against the BA, but why would this have a distinction with regard to whether the BA can be prosecuted? I don’t know, other than it means the BA ought
to be prosecuted.
Third, what about 3rd parties outside of the BA/CE or principal/agent relationship? I think they’re out. For example, if you are a photojournalist and you photograph somebody walking down the street on crutches, you can put that picture in the New York Times. The picture has PHI in it, but the photojourno isn’t a CE. But what if the cameraman is working part-time while away from his job as a EMS tech? Or if he’s a doctor taking pictures on the side?
What about a 3rd party that gets some information through the relationship with a CE and some information outside that relationship? Ultimately, I think it depends on the connection with the agency relationship. If the breach is within the agency relationship, or the information comes from the relationship, or if the breach or information is connected with the agency relationship, there might be grounds for holding the a responsible and liable.
Finally, there won’t be too much enforcement activity for a while, I expect. I think some of this will flesh itself out before the FBI starts knocking down doors.
Jeff [12:34 AM]
Blogger: HIPAA Blog - Edit your Template