The law of unintended (financial) consequences: the expansion of HIPAA business associate liability.

The recent Omnibus Rule published by the Department of Health and Human Services greatly expanded liability for breaches of health information privacy and security under the HIPAA statute and regulations. This expansion could have dire financial consequences for the health care industry. The Rule expanded the definition of business associates to include subcontractors of business associates and made covered entities and business associates liable for breaches of the entities who perform a service for them involving the use of individually identifiable health information under the federal common law of agency. Thus, if a covered entity or its "do wnstream" business associate breaches security or privacy, the covered entity or "upstream" business associate may face HIPAA's civil money penalties or a lawsuit. Financial managers need to be aware of these changes both to protect against the greater liability and to plan for the compliance costs inherent in effectively, if not legally, making business associates into covered entities.