Historically, organizations that outsourced have pretty much done just one thing to ensure their outsourced business partners would appropriately protect the information with which they had been entrusted access or possession: Include a brief information security clause with no details to speak of. Oh, and also include a lengthier “No Liability,” or “Limited Liability,” clause to try and not be held accountable for the bad things that happens to their information under their business partner’s care.
However, the recently released HIPAA Omnibus Rule makes clear that, in the healthcare space, such attempts will no longer make a difference, and that covered entities (CEs) will be able to be found liable for the actions of their business associates (BAs). This is an important tide-change that will soon ripple throughout all other industries with regard to holding organizations responsible, to varying extents, for the actions of their outsourced business partners.
Consider the discussion the Department of Health and Human Services (HHS) included in the 563 page tome that is the Final Omnibus Rule. They emphasized that the changes:
“make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.
Section 160.402(c) closely tracks the language in section 1128A(l) of the Social Security Act, which is made applicable to HIPAA by section 1176(a)(2) of such Act, which states that ‘‘a principal is liable for penalties . . . under this section for the actions of the principal’s agents acting within the scope of the agency.’’ One reason for removing the exception to the general provision at § 160.402(c), as we explained in the NPRM, is to ensure, where a covered entity or business associate has delegated out an obligation under the HIPAA Rules, that a covered entity or business associate would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf.”
The emphasis in the above is mine. It seems this logic, would apply to organizations in any type of entity, wouldn’t it? Especially since the basis is the Social Security Act, which all businesses must observe? I’ve had some interesting discussions with some of my privacy lawyer friends, some who believe strongly it will, and some who believe it won’t. Such uncertainty tells me that it will ultimately become a matter that a court decision decides, most likely sooner rather than later.
It has always been a good business idea to make sure that the organizations that are entrusted with business and customer information with have strong controls in place to protect that information. Even without any explicit statements such as those made by the HHS, whenever it comes time to file a civil suit, the chances are the entity with the deeper pockets, which is usually the business that is doing the outsourcing to another entity, will be the one that will be taken to court.
Does a business really want to take such a large gamble that their business partners don’t need any information security and privacy oversight, when losing that gamble could result in a loss of literally millions of dollars and decades of regulatory agency audits and oversight?