Jump to content

Breach Notification

Recommended Posts

Has anyone seen a good discussion or any guidance on what makes a business associate an agent vs. an independent contractor under the HIPAA breach notification rules? I know that the preamble is replete with references to the federal common law of agency, but that is a huge field. The Restatement of Agency focuses on the right to control the actions of the business associate, which in the agreements I have seen is almost never present. I mostly work with group health plans, and the last thing they want is control over the business associate--performance standards, yes, but not control over performance of services.

On the other hand, many of these business associates are held out to participants and beneficiares as authorized to act on behalf of the plan, e.g., EAP provider, third party claims administrator, COBRA administrator. Is that sufficient to make them an "agent?" That's different from the control test--they are acting on behalf of a disclosed entity, but does not fact make them an agent?

I'm interested in other views on this question. Thanks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...