The Department of Health and Human Services (“HHS”) has recently adopted new regulations imposing greater liability on health providers and those companies with whom they subcontract for patient data breaches. These rules modify the Health Insurance Portability and Accountability Act (“HIPAA”) Enforcement Rules by extending direct criminal and civil liability for data breaches to “business associates” of covered entities (health care providers, health plans, etc…) that receive patient information. As a result, covered entities and business associates of those entities will face the same penalties for data breaches.
The new rules also specify that certain subcontractors of covered entities may be included in its definition of “business associate,” and may thus become liable for patient data breaches. According to HHS, a business associate may include a “subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.” This definition includes data service providers, such as cloud service providers, if they maintain protected health information on behalf of a covered entity. HHS notes that this is true regardless of whether the data service provider actually views the health information, and stipulates that “opportunity to access” is sufficient for liability in a breach. Further, data service providers that maintain patient data on behalf of a covered entity may be distinguished from so called “conduits.” Under the “conduit exception,” service providers will not be liable for data breaches where access is limited to transmission services “including…temporary storage of…data incident to… transmission.” Practically, this “maintenance/conduit” distinction protects underlying internet service providers from liability under the new rules while directly imposing liability on providers that store information, such as cloud service providers.
To learn more about Marashlian & Donahue’s privacy practice, please visit our website.