If an organization is involved in healthcare, whether as a provider, facility, consultant, vendor or in almost any other capacity, it is highly likely that HIPAA applies to internal operations and relationships with other parties.
As should be well known, when a relationship is established with one party providing services for or on behalf of a covered entity (such as a healthcare provider, health plan or healthcare clearinghouse), then the party providing the service is a business associate. Once a party is a business associate, then a business associate agreement (BAA) is needed. In fact, the BAA is mandatory and must be in place before any protected health information is shared.
A business associate, as noted above, is any party that provides services for or on behalf of a covered entity and then handles, creates, stores or otherwise interacts with protected health information for or on behalf of the covered entity. Any entity can become a business associate, even including an entity that is otherwise a covered entity. Additionally, determining a party’s status as a business associate is not an arbitrary one that either party can assert, or created by putting a BAA into place. Instead, it is a matter of assessing whether the definition of a business associate as set out in the HIPAA regulations is met.
Moving beyond the determination of whether a party is a business associate, the real fun starts when a BAA is presented. The first question that can arise is who can present the agreement. Really, either party can present the BAA. Often, that decision can be driven by the relative sophistication and awareness of the parties about regulatory compliance. Surprisingly, that could mean the business associate is the one more cognizant of the need for the BAA.
Lack of awareness by the covered entity is risky. The HIPAA regulations are clear in imposing the obligations to put a BAA into place on covered entities. The focus on covered entities makes sense to some degree because, ultimately, the covered entity is the party driving the need for the protected health information and establishing the direct relationship with patients, in most instances.
As to what terms should be included in a BAA, that is primarily driven by requirements set out in HIPAA. Both the Security Rule and the Privacy Rule identify specific provisions that must be included for a BAA to be compliant. In fact, the regulatory requirements are technically the full scope of terms that need to be included in a BAA.
It’s also true that the BAA does not actually need to be a standalone agreement. The regulations would be satisfied if all of the applicable terms are included in any agreement.
While HIPAA requires certain terms to be present, there is still room for some negotiation in how those terms are presented. For the most part, negotiations focus on the timeframes in which business associates will need to perform certain actions or provide certain notices.
For example, a BAA will need to reference an individual’s right to access, request an amendment or ask for a restriction. The business associate is not directly responsible for responding and the covered entity will need the request or other notice sent to it. The covered entity often desires to receive such notices within days of receipt by the covered entity, not the up to 30 or 60 days that could be allowed under the regulations.
Another area where timing becomes of strong interest is around breach notification. Covered entities bear the obligation to notify impacted individuals, the Office for Civil Rights and the media (in certain instances). Business associates are obligated to notify the applicable covered entity with the same scope of information that will be needed to provide the broader notification. In each instance, there could be as much as 60 days to provide the notification from the time of “discovery,” which is specially defined for HIPAA breach purposes.
However, does a covered entity whose patients are impacted by a breach want to wait for as long as the full 60-day period? Probably not. That is why so many BAAs will seek to have the business associate provide notice of a breach anywhere from one to five days after the initial discovery (although, like all of the items highlighted here, there are always exceptions). What is reasonable will be up to the parties.
The real sticking points and obligations though arise from the “extracurricular” type provisions that are not required by HIPAA. The main examples are these provisions are indemnification, reimbursement, audits and insurance.
Each of the above examples seeks to shift liability or responsibility from the covered entity to the business associate, or provide examination into the operations of the business associate.
Indemnification and reimbursement can feel like two sides of the same coin. Put simply, indemnification tries to make one party whole by requiring the other party to be responsible for all damages, liabilities, and claims that could arise within the scope of the indemnification. When it comes to BAAs, indemnification is often stated to cover a breach of the BAA or a breach of protected health information. Breaches of protected health information represent the area where damages could potentially be quite high, especially depending on the scope of what is included. If all damages, liabilities and claims whether direct or indirect are included, then arguably the business associate’s obligation could extend to any matter connected to the breach.
Similarly, reimbursement seeks to obligate the business associate to cover proven expenses incurred by the covered entity. Most often, reimbursement is tied to responding to a breach, such as mailing, credit monitoring or other quantifiable expenditures incurred in the response. Reimbursement is likely more limited than broader indemnification, but could still result in significant monetary impacts.
An audit provision may seek to let the covered entity review a business associate’s operations, whether remotely or on site. Regardless of the type, an audit can be potentially intrusive into a business associate’s operations and could result in access to information from other clients of the business associate.
The risks are not one-sided though. If a covered entity succeeds in reserving the right to conduct an audit, will that right be used? What if an issue arises that results in a breach that could have been found by an audit, but no audit occurred? Arguably the Office for Civil Rights could fault the covered entity for not being proactive enough in its own defense. As such, an audit provision should be carefully considered.
A key provision is insurance, which will try to state the types of coverage to be held by the business associate and with what coverage amounts. Requests for insurance most often will focus on general liability, cyber liability and umbrella. The types are not usually up for debate.
The bigger questions arise over the coverage limits. Covered entities may want very high coverage because a breach will necessarily result in significant costs, while the business associate will be weighing the cost of obtaining against its revenues and number of clients.
Another issue to keep in mind is that a covered entity will not receive the scope of protection it thinks unless it is the only client of a particular business associate. Instead, all of a business associate’s clients will be grabbing for proceeds from insurance in the event of a coverable event, which will necessarily leave everyone less than whole.
It’s clear that BAAs are not without questions and considerations. It is helpful to be aware of these issues and to carefully review every BAA before signing. No agreement should be signed without understanding its implications.