Reprinted from REPORT ON PATIENT PRIVACY [11/15/10], the industry’s most practical source of news on HIPAA patient privacy provisions.
The July 14 notice of proposed rulemaking issued by HHS to implement parts of the HITECH Act threw covered entities and business associates for a loop when it introduced the concept of subcontractors, as well as the notion of agency.
In the proposed rule, the Office for Civil Rights held that if a business associate or subcontractor were acting as an “agent” of the other, then the covered entity (CE) or business associate (BA) would be liable, or at least share the liability if enforcement action were ever forthcoming.
The question of agency has emerged as a major flash point among CEs and BAs since it was introduced. Commenters on the proposed rule, including the American Hospital Association, have registered strong opposition to the concept. AHA, in fact, implored OCR to scrap or significantly amend the agency provision, or at least clarify just who is an agent and how a CE would know.
So who is an agent? The proposed rule offered that “The determination of whether a business associate is an agent of a covered entity, or whether a subcontractor is an agent of a business associate, will be based on the facts of the relationship, such as the level of control over the business associate’s or subcontractor’s conduct.” If the BA or subcontractor is not an agent, the firm or individual would then be considered an independent contractor.
In reality, knowing independent contractors from agents is complex, and a determination must be made on a case-by-case basis, examining the factual circumstances and the relationships between the parties. Further complicating the equation is whether, even as an agent, the offending party was acting within the “scope of agency.” If the agent exceeded the scope, the CE would not be liable.
RPP asked several experts to help get to the bottom of agents and agency. Heidi Salow, of counsel with DLA Piper LLP’s communications, e-commerce and privacy practice group in Washington, D.C., says agency is based in common or case law, which arises from court rulings that form a consensus. “Agency” is not defined in actual law.
“The most important factor in determining whether an agency relationship exists is the level of control that the principal has over the agent,” Salow says. “Second is how that relationship looks to third parties.”
An agent might still be considered an agent “although the principal lacks the right to control the full range of the agent’s activities, how the agent uses time, or the agent’s exercise of professional judgment,” Salow says, quoting case law.
The common law of agency also holds that the “principal controls the results but also the means to achieve the results,” Salow says. Under this concept, the responsibility falls to the principal — the CE in this case — to know who is an agent, and to notify the agent that it is, in fact, an agent.
Agent or Independent Contractor?
Reviewing a few examples may be helpful, Salow says. “A CE could hire a company to respond to customer service inquiries, or to run a call center,” she says. “Those are general service provider types of relationships. They are hired to perform very specific functions.”
In this case, Salow’s opinion is that there does not seem to be an agency relationship and would thus be one of an independent contractor. “The employees are separate; they are not hired by or paid by the CE. The location is separate,” she adds.
And yet…an agency relationship could be triggered under other circumstances, Salow points out. “If the call center’s only client was the CE and it was created just for the purpose of serving the CE, then I think that gets into a little more of a gray area,” Salow says.
Another example of a common CE-BA relationship is a document storage company. If, like the call center, it is off-site and serves other customers and other kinds of clients (not health care related), an agency relationship seems less plausible, she says.
In contrast, a CE might contract with a business that provides temporary or time-limited services, such as computer repairs or IT upgrades. The workers are on site. “Those individuals are doing nothing more than working for the CE,” Salow says. “That sounds more like an agency relationship.”
As stated earlier, in addition to determining whether a BA (or subcontractor) is acting as an agent, if something goes wrong, the CE (or BA, if appropriate) has another determination to make, and that is whether the agent was working “within the scope of the agency.”
That means that if the possible HIPAA infraction were committed by the BA but the firm or individual were doing something that was not part of the work agreement on behalf of the CE, the CE would then not be liable, Salow says.
Reece Hirsch, an attorney with Morgan, Lewis & Bockius in San Francisco, believes that most of these issues should be addressed in a contract specifying whether the BA is acting as an agent or is an independent contractor — as long as the facts and circumstances fit.
Salow agrees that CEs and BAs should have an underlying service agreement or other kind of contract that specifies the duties of the BA and spells out whether the BA is an agent or an independent contractor. This is separate from a BAA, Salow says.
“There almost always is an immediate assumption that an agency relationship is created” through a BAA, so this should be spelled out, she says. This is important also because the common law of agency holds that the CE may have “apparent” authority over the BA even if this isn’t stated.
As Salow notes, CEs and BAs must both be aware of how the interaction looks to the outside, in particular, because a principal-agency relationship could appear to be real, even if it isn’t on paper. That could mean that, in fact, the relationship is one of agency. Regardless of what the contract says, “You still have to be careful as to how you present those subcontractors to the world.”
For example, hospitals nowadays frequently contract out their records to storage companies, which are BAs. Those that deal directly with patients may look like a seamless operation that is part of the hospital.
Similarly, hospitals may employ fundraisers that send communications under the hospital’s letterhead. While BAs, they might appear to the patient to be indistinct from the hospital itself. “I think it could be useful to include some kind of statement to indicate the vendor is performing a service for the hospital,” he says, although he notes this could prove confusing to the patient.
Provision Will Cause ‘Unquantifiable Burden’
The concept of agency first became an issue with the August 2009 release of HHS’s interim final breach notification regulations, specifying that if the BA is an agent of the CE, the CE is assumed to know of a breach simultaneous to when the BA learns of it. Knowledge of a breach is significant because it starts the clock ticking on notice to patients and authorities and the media (if appropriate), which is a task a CE has to complete within 60 days of discovery of the breach.
If AHA has its way, the whole agency concept could disappear from any final breach notification rule.
“Federal common law of agency requires a detailed facts and circumstances analysis that easily could lead to differing conclusions of when an agency relationship exists,” the association says. “[T]he fact-specific determination as to whether a business associate is an agent of a covered entity must be performed for each business associate relationship. For a covered entity with thousands of business associates, this analysis would be an unquantifiable burden,” AHA says in its comment letter.
AHA took issue with the breach rule’s agency provision in its letter, stating, “abiding by the federal common law’s fact-specific determination of agency is not a workable process by which to determine the applicable timeframe for breach notification.”
Hospitals need a uniform policy they can follow, AHA says, and do not want to engage in the “fact-specific determination” of figuring out who is an agent and who isn’t. A uniform policy, AHA says, “would prevent the confusion and administrative burdens” that the fact-finding determination entails.
AHA “strongly” requested that “HHS clarify that all business associates are governed by § 164.410(a) and its standard that a covered entity only ‘discovers’ a breach when informed of the breach by its business associate.”
This would be a big help, AHA says, especially because subcontractors are now included in the breach requirements. Because these entities are going to be entirely new to HIPAA, they — as well as CEs and BAs — will be struggling to apply the concept of agency properly.
If OCR doesn’t choose to remove the agent provision from the breach requirement, AHA asks instead if it could actually list who is an agent and who isn’t. “In the alternative, if HHS believes that an agent distinction is necessary, HHS could limit its definition of agency to certain common fiduciary relationships, such as lawyer-client and accountant-client relationships,” AHA says.
And the provision appears impossible to follow, says AHA. “Where a breach is experienced by a subcontractor who is working on behalf of a business associate agent, the covered entity for whom the business associate is an agent may have an obligation to notify affected individuals before it ever receives actual knowledge of the breach or in a very limited timeframe after it receives actual knowledge of the breach,” the association’s letter says.
Hirsch says OCR should heed the call from AHA and others to clarify the proposed rule. “I think it does make sense, at the very least, to give examples. A few vague references to the federal common law of agency aren’t very helpful,” he says.