The billing vendor American Medical Collection Agency (AMCA) has reached a settlement with 42 state attorneys general over the 2018 data breach that affected more than 21 million individuals. AMCA still has private class action lawsuits pending against it, and isn’t out of the woods.
AMCA filed for bankruptcy shortly after the breach was announced in anticipation of claims from regulators and individuals. AMCA’s largest customers were Quest and LabCorp, two testing labs and covered entities who relied on AMCA for billing and collections. Under HIPAA, AMCA was their business associate. Quest and LabCorp were not part of the attorneys general investigation but may face liability under separate civil lawsuits.
The settlement agreement requires AMCA to implement stronger data security measures, hire a chief information security officer and create an incident response plan. They are also required to hire a third-party analyst to perform a HIPAA Risk Analysis.
The settlement does not include a monetary payment up front, but will require AMCA to pay $21 million to the states if it violates the agreement. Because of AMCA’s financial condition, the payment requirement will be suspended if they comply with the settlement.
The big takeaway from this settlement (and other potential liability faced by AMCA, LabCorp and Quest), is that business associates must comply with HIPAA, and covered entities need to manage their business associates in the right way. As a covered entity, conduct due diligence and ask the right questions.
Private Lawsuits Can Enforce HIPAA Compliance
HIPAA does not include a private right to sue.
Although the Office for Civil Rights (OCR) is the federal agency charged with enforcing HIPAA, state investigations and private lawsuits are becoming more common when individuals’ privacy is breached, especially when the breach affects millions of people at once.
AMCA still faces class action civil lawsuits from aggrieved individuals and this attorney general settlement will not hinder those. Numerous class action civil suits were filed against AMCA across the country in 2019, and are now consolidated for pretrial proceedings in the New Jersey U.S. District Court. LabCorp and Quest are also being sued along with AMCA in these class actions.
This state attorney general settlement is notable for several reasons. First, by addressing AMCA’s bankrupt status, the settlement emphasizes why the class action civil suits are aggressively seeking to hold AMCA’s customers like LabCorp and Quest, large well-funded companies, responsible to pay money damages resulting from AMCA’s breaches.
Although business associates are separately liable for HIPAA compliance, their customers, the covered entities, are not necessarily off the hook.
Manage Business Associates with Communication and Collaboration not Control
Whether LabCorp and Quest are responsible rests on a key legal issue: was AMCA their legal ‘agent’? If so, they are the legal ‘principal’ for their agent’s misdeeds. AMCA may be considered a legal ‘agent’ under the law of the various states where plaintiffs live. But also under a little known law, the federal common law of agency, embedded in the HIPAA Enforcement Rule.
The federal common law of agency makes a business associate the agent of a covered entity even when a covered entity is exercising a relatively low level of control over how the business associate carries out its duties. If a plaintiff can prove that the business associate was an agent of the covered entity, then the covered entity is responsible for the business associate’s failures. The key is to manage the business associate without exerting too much control. Collaboration and communication are essential.
Business associates do not have to become agents. Covered entities can guard against it by having the right kind of relationship with their business associates – separate responsibilities, a mutual commitment to comply with HIPAA, and not too much control.
It’s also notable that the settlement contains numerous references to HIPAA and confirms that AMCA (as a business associate subject to HIPAA) was also subject to laws of the states where the data breaches occurred. While HIPAA does not create a private right to sue, courts increasingly look to it as the ‘standard of care’ covered entities must meet in data breach cases like the Arizona Supreme Court did on March 8, 2021 in Shepherd v. Costco. So a court can use failure to comply with HIPAA as a measurement of failure to meet responsibilities under state privacy laws, negligence and contract law.
State attorneys general, as this latest settlement shows, are hampered by AMCA’s bankruptcy in obtaining significant financial payouts. However, plaintiffs’ attorneys, akin to ‘private attorneys general’ may be able to secure payment for their clients from the deep pockets of AMCA’s covered entity customers, LabCorp and Quest, if the facts and law support their claims. If AMCA was their agent they may acquire AMCA’s liabilities.
Business Associate Due Diligence
Covered entities who hire vendors to carry out responsibilities in healthcare should understand which vendors are business associates. They should require a business associate agreement, make sure the business associate follows HIPAA, and ask some basic questions. The “due diligence” required isn’t extensive. The idea is to make sure covered entities choose only those vendors who understand their HIPAA responsibilities and follow HIPAA.
Exception to the Warning about Agency
There may be reasons that a covered entity in specific circumstances would decide they want to control work by a business associate and would knowingly make the business associate its agent. Quality assurance and risk management are two possible reasons. The key is to know what you need and have the right agreement that accurately describes what you need.
Communicate with Vendors and Partners about HIPAA Compliance
Avoid surprises and steep costs when a business associate fails to comply. Communicate at the beginning of the relationship – get the right business associate agreement in place that provides what you need – follow up and ask questions. If you are unable to get the right answers, think twice about engaging that vendor. The risks are too great, from lawsuits, federal and state investigations and loss of patient trust.