I was recently discussing with someone the possible legal damages of a HIPAA violation by a healthcare organizations business associate. We all know that thanks to HIPAA omnibus, the business associate will now be held liable for any HIPAA breaches or violations that occur. One question I haven’t seen addressed was whether the covered healthcare organization entity would be held responsible for the business associates breaches or violations. Before, the healthcare organization would be the only one with consequences. Are the consequences for the healthcare organization still the same if a business associate has a HIPAA breach?
I think the answer probably depends on the business associate agreement. Although, maybe you can’t shield yourself of liability from business associates negligence just with a well done business associate agreement. Hopefully some of me healthcare lawyer readers can shed light on this subject.
One thing I am sure of is that the legal damages pale in comparison to the damages to a brand when a HIPAA violation occurs even when the violation is completely the responsibility of the business associate. Healthcare organizations are still going to be held responsible for the violation. No doubt we’ll hear the phrase, “the healthcare organization should have properly vetted and checked that their business associates were following HIPAA.”
While we can all agree that many healthcare organizations aren’t as diligent as they should be with business associates, should the healthcare organization have to babysit all of their business associates?
Like most things in life, there has to be a balance. You can’t play big brother with all of your business associates. You’ll drive your business associates crazy and waste a lot of resources in the process. However, I think we can look to HIPAA for the guidelines. Every healthcare organization should have a well thought out understanding and process for how they decide who they work with as business associates.
The reality is that regardless of who takes on the legal consequences of a HIPAA violation, the healthcare organization is the one that has to worry most about the damage to their brand.