Skip to content
Business Law

Court Declines to Dismiss Claims Against Business Associate Subcontractor Responsible for HIPAA Breach



CVS Pharmacy, Inc. v. Press America, Inc., 2018 WL 318479 (S.D.N.Y. 2018)

A federal court has declined to dismiss a lawsuit filed by a pharmacy benefit manager (PBM) against a mail service that violated the HIPAA privacy rule when it misaddressed mail and improperly disclosed protected health information (PHI) of 41 individuals. The PBM, which contracted with a group health plan to provide mail-order pharmacy services, subcontracted certain functions to the mail service. Both the PBM and the mail service were subject to HIPAA privacy and security rules—the PBM as the health plan’s business associate and the mail service as a business associate subcontractor. According to the PBM, the mail service’s unauthorized disclosures violated a performance standard under the PBM’s contract with the health plan and triggered a payment of over $1.8 million by the PBM to the plan. The PBM then sought indemnification from the mail service, both under its business associate subcontract and common-law principles, and also contended that the mail service was negligent. The mail service moved to dismiss these claims.

The court denied the motion to dismiss, holding that the subcontract’s indemnification provisions were broad enough to encompass the PBM’s payment to the health plan—which, according to the complaint, was made due to the mail service’s negligence and arose out of a breach of private information under the mail service’s control. Moreover, the court held that the mail service did not have the right to challenge the validity of the PBM’s contractual obligation to pay the health plan since the mail service was not a party or third-party beneficiary to that contract. The PBM also adequately stated a claim for common-law indemnification by alleging that (1) the mail service owed the PBM a duty of reasonable care, (2) the improper PHI disclosures were due solely to the mail service’s negligence, and (3) the PBM’s reputation was damaged when it complied with its legal obligation to notify affected individuals. Finally, the court ruled that the PBM sufficiently alleged negligence based on its assertions that the mail service breached its duty to the PBM and the PBM suffered economic damage through its payment to the health plan, investigation and assessment of HIPAA compliance issues, and notification to affected individuals. The court noted that it could not resolve on a motion to dismiss the parties’ factual assertions, including the mail service’s contention that the subcontract’s indemnification provision was not intended to cover this type of payment.

EBIA Comment: It may seem like only yesterday, but this month marks the fifth anniversary of the omnibus regulation that substantially expanded the HIPAA obligations of business associates and their subcontractors (see our Checkpoint article). While this case is at a very early stage and the subcontractor will still have a chance to develop evidence in support of its defenses, many of the issues will seem familiar to those involved with health plan administration—including plan sponsors, third-party administrators (TPAs), and other service providers. The opinion’s discussion of indemnification principles may help covered entities, business associates, and subcontractors prepare for disputes over unintended disclosures of PHI, which, in today’s world, seem inevitable. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.B (“What Is a Business Associate?”), XXIV.D (“Agents and Subcontractors of a Business Associate”), XXIV.E (“The Business Associate Contract: Beyond HIPAA’s Requirements”), and XXIV.G (“Contracting With Business Associates: Issues to Consider”). You may also be interested in our recorded webinar “HIPAA Business Associate Contracts: Due Diligence, Upstream Liability, and More” (recorded on 9/14/17).

Contributing Editors: EBIA Staff.