Direct Business Associate Liability
Under the current HIPAA provisions, a covered entity is not liable for the unlawful acts of its business associates if there is a valid business associate agreement between the parties, the covered entity did not know about the violation, and the covered entity did not fail to act as required by HIPAA. The Proposed Rule would eliminate this exception and make covered entities directly liable for the actions of its business associates, regardless of whether the parties have signed a valid business associate agreement.110 This exception, however, would not create liability for business associates that are independent contractors.111 Whether a business associate is an agent of the covered entity will depend on the level of control that the covered entity has over the business associate.112 The Proposed Rule would also add a parallel provision making business associates liable for the acts of its agents, including any workforce member or subcontractor acting within the scope of the agency.113 With this new provision, the principal-agent relationship will be crucial to determining civil money penalty liability for HIPAA violations.
.png)