How Long is the Liability Tail?

Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).

Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just give me a yes or no answer! Don’t tell me it depends!!” Well, as with most things there is no black and white answer. You have to consider the factors involved within each specific situation. The liability tail can be very long or very short based upon the factors involved. So, sorry, but, yes, it depends!

Liability Clearly Communicated
Consider the discussion the Department of Health and Human Services (HHS) included in the Final HIPAA Omnibus Rule. They emphasized that the changes:

“make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.

Section 160.402(c) closely tracks the language in section 1128A(l) of the Social Security Act, which is made applicable to HIPAA by section 1176(a)(2) of such Act, which states that ‘‘a principal is liable for penalties . . . under this section for the actions of the principal’s agents acting within the scope of the agency.’’ One reason for removing the exception to the general provision at § 160.402(c), as we explained in the NPRM, is to ensure, where a covered entity or business associate has delegated out an obligation under the HIPAA Rules, that a covered entity or business associate would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf.

The emphasis in the above is mine. It seems this logic could apply to organizations in any type of entity, doesn’t it? Especially since the basis is the Social Security Act, which generally all U.S. businesses must observe? I’ve had some interesting discussions with some of my privacy lawyer friends, some who believe strongly it will, and some who believe it won’t. Such uncertainty tells me that it will ultimately become a matter that a court decision decides, most likely sooner rather than later.

In the meantime, let’s consider a breach and a few possible scenarios and look at the different extents possible for which the organization will share in liability for the errors/mistakes/inadequacies of their outsourced entities.

A Case Study

The situation
A medium-sized hospital contracts a small/medium-sized business (a family-owned business with 50 employees) to perform patient billing. So, the business is now a business associate (BA) of the hospital (CE). The CE has the BA sign a BA Agreement, based upon the example provided by the HHS. The CE also included a “No Liability” clause within the BA services contract to try and not be held accountable for the bad things that happens to their information under the BA’s care.
When the BA was contracted, it did not have any policies that required such protected health information (PHI) to be encrypted

The breach
Six months after contracting the BA, a worker within the BA has all the CE’s patient billing information, which includes the health information of 1,000 patients, stored on a laptop. While traveling, the laptop is stolen from the BA while going through the TSA security check. The laptop simply seems to vanish within the x-ray machine. The data on the laptop was not encrypted. Reports of identity fraud and medical identity theft for the patients whose information was on the laptop start accumulating a few weeks after the disappearance of the laptop.

Scenario 1

  • The CE did not ask the BA to validate that they had any policies in place, or were doing any activities to meet the requirements of the BA Agreement at the time the BA Agreement was signed.
  • The CE did not do any activities after the BA Agreement with regard to validating the BA had appropriate safeguards in place.

Scenario 2

  • The CE asked to review the BA’s information security and privacy policies when they were doing the contracting.
  • The CE noticed that there were no encryption requirements. However, since encryption is “Addressable” under HIPAA, they went ahead and signed the agreement, without mentioning this to the BA.

Scenario 3

  • The CE asked to review the BA’s information security and privacy policies when they were doing the contracting.
  • The CE noticed that there were no encryption requirements. They told the BA that as a requirement of their relationship, they wanted the BA to include a policy requiring all PHI on mobile devices to be encrypted, in addition to requiring all their workers to receive training and reminders about the need to encrypt PHI.
  • The BA provided documentation two months after the contract was signed indicating they had implemented new encryption policies, in addition to showing that all the employees had received training for encrypting mobile devices, and they also gave documentation showing their plans to provide periodic encryption reminders.

Analysis of Scenarios
The circumstances within each scenario are a bit different for the exact same breach situation. Those differences, though, could make a world of difference to the CE in any shared liability decisions.

  • Scenario 1: The CE did nothing beyond getting a BA Agreement signed in Scenario 1. Considering they did not do anything beyond getting a contract signed, and considering the storage of PHI on mobile devices has been proven (by the hundreds, perhaps thousands, of breaches involving mobile devices) to be a high risk activity, the HHS, the associated State Attorney General (AG) offices, and possibly the courts involved in any subsequent civil suits, could view the CE as failing to perform an appropriate level of due diligence. The CE could potentially get as severe of a penalty as the BA.
  • Scenario 2: The CE reviewed the policies, and if they documented this activity, that would show some level of due diligence. The fact that there was no action taken for the lack of encryption requirements, though, would likely be interpreted differently, based upon the folks involved from the HHS, the State AG offices, and the judges involved at the civil courts. Since “Addressable” does NOT mean “Optional” it could be argued that based upon the many breaches that have occurred to date, the CE should have done actions for the encryption issue instead of just letting it pass by, and then doing no other activity. Since the HHS is explicitly stating the CE “would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf” it is likely, though not proven to date, that the CE would face some level of sanctions or penalties for the BA’s lack of security for their mobile devices. Those sanctions could vary between the multiple enforcement agencies involved.
  • Scenario 3: Considering the CE has done multiple actions to try and ensure the security of the BA, and the BA provided documentation showing they have done the actions the CE asked them to do, it would be hard to claim the CE did not do the proper level of due diligence. Of course, the determination would ultimately depend upon the opinions and experiences of those involved from the HHS, the State AG offices, and any civil court judges. However, this scenario would be most likely to result in no, or few, penalties to the CE for the bad things that have occurred through their BA.

The “No Liability” clause would likely have little to no impact, given the statements from the HHS, the Social Security Act, and the experiences to date of breaches involving mobile devices. Of course, this is debatable, and I know (I’ve heard) many lawyers have very strong and conflicting opinions about the effectiveness of such clauses.

Now, I could have thrown in a lot more details, which could have created many more possibilities with regard to the differences of the extent to which liability could be shared by the CE. However, for the purposes of this discussion, this should give you a good idea for why the answer to how much liability is shared is not clean cut and truly does depend up the factors involved.

Also, even though I used a hospital (covered entity) and their outsourced entity (a business associate) in these scenarios, the analysis would likely be similar within most other industries within the U.S. Can you think of any U.S. industries where this would not apply? How would this be handled in other countries? Many of my friends who are international information security and privacy experts likely know the answer to that last question.

I will be covering this issue of contracted entity oversight, along with a wide range of other vendor information security and privacy management issues, in May at a class the day before Secure 360 conference in St. Paul, called, “Vendor Information Security and Privacy Management”. If your organization outsources business activities, or if you are an organization that does work for other businesses, I encourage you to attend and join in on the conversation…and possibly debate!

Bottom line for organizations of all sizes…
Whenever you are outsourcing the processing of confidential and sensitive information, such as PHI, to another entity, you need to make sure that entity has appropriate safeguards in place. The more oversight you have for that outsourced entity’s security management activities, the more you can mitigate your liability for the security failures of your BA, and the shorter your liability tail.


tumblr visitor

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply