Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH
Direct Business Associate Liability

Direct Business Associate Liability


Under the current HIPAA provisions, a covered entity is not liable for the unlawful acts of its business associates if there is a valid business associate agreement between the parties, the covered entity did not know about the violation, and the covered entity did not fail to act as required by HIPAA.  The Proposed Rule would eliminate this exception and make covered entities directly liable for the actions of its business associates, regardless of whether the parties have signed a valid business associate agreement.110  This exception, however, would not create liability for business associates that are independent contractors.111  Whether a business associate is an agent of the covered entity will depend on the level of control that the covered entity has over the business associate.112  The Proposed Rule would also add a parallel provision making business associates liable for the acts of its agents, including any workforce member or subcontractor acting within the scope of the agency.113  With this new provision, the principal-agent relationship will be crucial to determining civil money penalty liability for HIPAA violations.



  • 110. Id. at 40,914 (to be codified at C.F.R. § 160.402(c)).
  • 111. Id. at 40,880.
  • 112. Id.
  • 113. Id. at 40,879.