If an organization is involved in healthcare, whether as a provider, facility, consultant, vendor or in almost any other capacity, it is highly likely that HIPAA applies to internal operations and relationships with other parties. As should be well-known, when a relationship is established with one party providing services for or on behalf of a covered entity (this means a healthcare provider, health plan, or healthcare clearinghouse), then the party providing the service is a business associate. Once a party is a business associate, then a business associate agreement (BAA) is needed. In fact, the BAA is not just needed, but mandatory and must be in place before any protected health information is shared.
As a quick refresher, a business associate, as noted above, is any party that provides services for or on behalf of a covered entity and then handles, creates, stores, or otherwise interacts with protected health information for or on behalf of the covered entity. Any entity can become a business associate, even including an entity that is otherwise a covered entity. Additionally, determining a party’s status as a business associate is not an arbitrary one that either party can assert, or created by putting a BAA into place. Instead, it is a matter of assessing whether the definition of a business associate as set out in the HIPAA regulations is met.
Moving beyond the determination of whether a party is a business associate, the real “fun” starts when a BAA is presented. The first question that can arise is who can present the BAA. Really, either party can present the BAA. Oftentimes that decision can be driven by the relative sophistication and awareness of the parties as to regulatory compliance. Surprisingly, that could mean the business associate is the one more cognizant of the need for the BAA.
Lack of awareness by the covered entity is risky. The HIPAA regulations are clear in imposing the obligations to put a BAA into place on covered entities. The focus on covered entities makes sense to some degree since ultimately the covered entity is the party driving the need for the protected health information and establishing the direct relationship with patients, in most instances.
With the presentation of a BAA, the next question goes to what terms should be included. The bulk of a BAA is driven by requirements set out in HIPAA. Both the Security Rule and the Privacy Rule identify specific provisions that must be included for a BAA to be compliant. In fact, the regulatory requirements are technically the full scope of terms that need to be included in a BAA. Another fun fact is that the BAA does not actually need to be a standalone agreement. The regulations would be satisfied if all of the applicable terms are included in any agreement.
While HIPAA requires certain terms to be present, there is still room for some negotiation in how those terms are presented. For the most part, negotiations focus on the timeframes in which business associates will need to perform certain actions or provide certain notices. For example, a BAA will need to reference an individual’s right to access, request an amendment, or ask for a restriction. The business associate is not directly responsible for responding and the covered entity will need the request or other notice sent to it. The covered entity often desires to receive such notices within days of receipt by the covered entity, not the up to 30 or 60 days that could be allowed under the regulations.
Another area where timing becomes of strong interest is around breach notification. Covered entities bear the obligation to notify impacted individuals, the Office for Civil Rights, and the media (in certain instances). Business associates are obligated to notify the applicable covered entity, with the same scope of information that will be needed to provide the broader notification. In each instance, there could be up to 60 days to provide the notification from the time of “discovery,” which is specially defined for HIPAA breach purposes. However, does a covered entity whose patients are impacted by a breach want to wait for up the full 60 day period? The answer is probably not really. That is why so many BAAs will seek to have the business associate provide notice of a breach anywhere from 1-5 days after the initial discovery (though like all of the items highlighted here, there are always exceptions). What is reasonable will be up to the parties.
The real sticking points and obligations though arise from the “extracurricular” type provisions that are not required by HIPAA. The main examples are these provisions are:
Each of the above examples seeks to shift liability or responsibility from the covered entity to the business associate or provide examination into the operations of the business associate.
Indemnification and reimbursement can feel like two sides of the same coin. Put simply, indemnification tries to make one party whole by requiring the other party to be responsible for all damages, liabilities, and claims that could arise within the scope of the indemnification. When it comes to BAAs, indemnification is often stated to cover a breach of the BAA and/or a breach of protected health information. Breaches of protected health information represent the area where damages could potentially be quite high, especially depending upon the scope of what is included. If all damages, liabilities, and claims whether direct or indirect are included, then arguably the business associate’s obligation could extend to any matter connected to the breach.
Similarly, reimbursement seeks to obligate the business associate to cover proven expenses incurred by the covered entity. Most often reimbursement is tied to responding to a breach, such as mailing, credit monitoring, or other quantifiable expenditures incurred in the response. Reimbursement is likely more limited than broader indemnification, but could still result in significant monetary impacts.
An audit provision may seek to let the covered entity review a business associate’s operations, whether remotely or on site. Regardless of the type, an audit can be potentially intrusive into a business associate’s operations and could result in access to information from other clients of the business associate. The risks are not one-sided though. If a covered entity succeeds in reserving the right to conduct an audit, will that right be used? What if an issue arises that results in a breach that could have been found by an audit, but no audit occurred? Arguably the Office for Civil Rights could fault the covered entity for not being proactive enough in its own defense. As such, an audit provision should be carefully considered.
Lastly, for now, of the extra provisions is insurance. An insurance provision will try to state the types of coverage to be held by the business associate and with what coverage amounts. Requests for insurance will most often focus on general liability, cyber liability, and umbrella. The types are not usually up for debate, The bigger questions arise over the coverage limits. Covered entities may want very high coverage since a breach will necessarily result in significant costs whereas the business associate will be weighing the cost of obtaining against its revenues and number of clients. Another issue to keep in mind is that a covered entity will not receive the scope of protection it thinks unless it is the only client of a particular business associate. Instead, all of a business associate’s clients will be grabbing for proceeds from insurance in the event of a coverable event, which will necessarily leave everyone less than whole.
As can be seen, BAAs are not without questions and considerations. It is helpful to be aware of these issues and to carefully review every BAA before signing. No agreement should be signed without understanding its implications. Now, proceed with eyes wide open.
This article was originally published on Mirick O’Connell’s Health Law Blog.