Third Party Beneficiaries of Business Associate Contracts
Under The Health Insurance Portability and Accountability Act Privacy Regulations

By Morris A. Landau, J.D., M.H.A., LL.M. Candidate

The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") authorized the Secretary of Health and Human Services (HHS) to promulgate rules governing the use and privacy of individually identifiable health information in certain transactions if Congress failed to enact legislation by August 1999. Because Congress missed this deadline, on November 3, 1999, HHS published its proposed rules implementing the law to protect the privacy of individually identifiable health information. On December 28, 2000, HHS published its final rule, The Standards for Privacy and Individually Identifiable Health Information in the Federal Register (65 Fed. Reg. 82,462). http//

At 440,000 words, the regulation ran more than 1,500 pages of typescript and filled 368 pages in the Federal Register. See "Privacy Rule Will Force Major Changes in Handling of Patient Information," The regulation has three major purposes: (1) To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; (2) to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and (3) to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals. 65 Fed. Reg. 82,436. The final Privacy Rule’s effective date is April 14, 2003.

This final Privacy Rule will affect every hospital, physician and health insurer, virtually all health plans, and their business associates-including their attorneys. This regulation applies to three types of "covered entities:" (1) health care plans; (2) health care clearinghouses; and (3) health care providers who electronically transmit health information in connection with certain specified transactions. 45 C.F.R. § 164.103. A covered entity may disclose private health information ("PHI") to persons that meet the definition of a "business associate" 65 Fed. Reg. 82,504. A business associate is a person who has the right to use or disclose PHI which belongs to the covered entity and is using or disclosing PHI to perform a function or activity on behalf of the covered entity. 65 Fed. Reg. 82,475. In other words, a business associate is a person or entity who performs a function for or assists a covered entity with a function or activity involving the use or disclosure of PHI. (e.g. claims processing, data analysis, utilization review, quality assurance, billing, benefit management, practice management, repricing, legal, actuarial, accounting, consulting, data aggregation, management, financial services, accreditation). §160.103 (1).

Since HHS did not have the authority to directly regulate the practices of other entities that may handle PHI, the "business associate" provision of the privacy regulation indirectly extends many of the privacy regulations to business associates. Specifically, the key requirement for a business associate of a covered entity is that a written contract would be required between the covered entity and its business associate. The contract obligates the business associate to abide by the same restrictions on the use and disclosure of PHI to which the covered entity is subject to under the final rule as well as the specific privacy practices of the covered entity. §164.502 (e).

There are exceptions; first, the final rule does not require a business associate contract when PHI is shared among health care providers for "treatment purposes." 65 Fed. Reg. 82,634; second, an affiliate that chooses to designate itself as a part of the covered entity will not need a business associate contract to share PHI. § 164.504(d); third, individuals who are in the work force at the covered entity are excluded from the definition of a business associate, § 160.103(1); fourth, no business associate contract is required with respect to disclosures by a group health plan or HMO to the plan sponsor under certain circumstances. § 164.502 (e)(1); and lastly, no business associate contract is required for disclosure to a government program providing public benefits. Id.

A key issue regarding these business associate contracts is whether third party beneficiaries, namely patients, can have a cause of action if there is material breach of a business associate contract or an unauthorized disclosure of their PHI. The final rule dropped a requirement in the proposed regulations that patients be designated as third-party beneficiaries of written privacy agreements between healthcare entities and their business associates; health groups had feared that would open them up to lawsuits by patients who felt their privacy was invaded. See "Privacy Rule Will Force Major Changes in Handling of Patient Information,"

Nevertheless, third party beneficiaries may sue under state law. HIPAA regulations did not intend to affect existing laws regarding when individuals may be third party beneficiaries of contracts. If existing state law allows individuals to claim third party beneficiary rights, or prohibits them from doing so, HHS did not intend to affect those laws; instead, HIPAA intended to leave "this matter to such other law." 65 Fed. Reg. 82,641.

As a practical matter, it will be very difficult to not only police PHI, but also, it will be difficult to determine both equitable and compensatory relief should a third party beneficiary bring a cause of action for a material breach of a business associate contract. In other words, the courts will have the difficult task of determining and measuring possible expectation damages, restitution, or reliance damages or even possible declaratory or injunctive relief if there is a material breach of a business associate contract. Furthermore, depending upon a state’s jurisdiction, a third party beneficiary could bring a tort action such as defamation or invasion of privacy. This loophole in the HIPAA privacy regulations could open the door for plaintiffs to sue health care entities and its business associates. Thus, the fear of lawsuits that health groups had protested in the proposed regulations, which was a private cause of action for individuals to enforce a right to privacy of medical information, is still alive and well under existing state laws. As a result, HIPAA’s failure to preempt this area of state law, leaves open the possibility of frivolous lawsuits, a chilling effect of open communication between the covered entity and its business associates, and increased costs throughout the health care system.

On February 26, 2001, the Secretary of Health and Human Services, Tommy Thompson reopened the HIPAA privacy act regulations for a new comment period, and the Bush Administration has decided to revise these final privacy regulations because they are unworkable and would impose a tremendous cost and burden on the health care industry. "White House Plans to Revise New Medical Privacy Rules," I hope one of those changes will be addressing the loophole in the business associate contract.