[BreachExchange] How to ensure business associate agreements protect all parties

Destry Winant destry at riskbasedsecurity.com
Wed Mar 13 02:46:03 EDT 2019


If an organization is involved in healthcare, whether as a provider,
facility, consultant, vendor or in almost any other capacity, it is
highly likely that HIPAA applies to internal operations and
relationships with other parties.

As should be well known, when a relationship is established with one
party providing services for or on behalf of a covered entity (such as
a healthcare provider, health plan or healthcare clearinghouse), then
the party providing the service is a business associate. Once a party
is a business associate, then a business associate agreement (BAA) is
needed. In fact, the BAA is mandatory and must be in place before any
protected health information is shared.

A business associate, as noted above, is any party that provides
services for or on behalf of a covered entity and then handles,
creates, stores or otherwise interacts with protected health
information for or on behalf of the covered entity. Any entity can
become a business associate, even including an entity that is
otherwise a covered entity. Additionally, determining a party’s status
as a business associate is not an arbitrary one that either party can
assert, or created by putting a BAA into place. Instead, it is a
matter of assessing whether the definition of a business associate as
set out in the HIPAA regulations is met.

Moving beyond the determination of whether a party is a business
associate, the real fun starts when a BAA is presented. The first
question that can arise is who can present the agreement. Really,
either party can present the BAA. Often, that decision can be driven
by the relative sophistication and awareness of the parties about
regulatory compliance. Surprisingly, that could mean the business
associate is the one more cognizant of the need for the BAA.

Lack of awareness by the covered entity is risky. The HIPAA
regulations are clear in imposing the obligations to put a BAA into
place on covered entities. The focus on covered entities makes sense
to some degree because, ultimately, the covered entity is the party
driving the need for the protected health information and establishing
the direct relationship with patients, in most instances.

As to what terms should be included in a BAA, that is primarily driven
by requirements set out in HIPAA. Both the Security Rule and the
Privacy Rule identify specific provisions that must be included for a
BAA to be compliant. In fact, the regulatory requirements are
technically the full scope of terms that need to be included in a BAA.

It’s also true that the BAA does not actually need to be a standalone
agreement. The regulations would be satisfied if all of the applicable
terms are included in any agreement.

While HIPAA requires certain terms to be present, there is still room
for some negotiation in how those terms are presented. For the most
part, negotiations focus on the timeframes in which business
associates will need to perform certain actions or provide certain

For example, a BAA will need to reference an individual’s right to
access, request an amendment or ask for a restriction. The business
associate is not directly responsible for responding and the covered
entity will need the request or other notice sent to it. The covered
entity often desires to receive such notices within days of receipt by
the covered entity, not the up to 30 or 60 days that could be allowed
under the regulations.

Another area where timing becomes of strong interest is around breach
notification. Covered entities bear the obligation to notify impacted
individuals, the Office for Civil Rights and the media (in certain
instances). Business associates are obligated to notify the applicable
covered entity with the same scope of information that will be needed
to provide the broader notification. In each instance, there could be
as much as 60 days to provide the notification from the time of
“discovery,” which is specially defined for HIPAA breach purposes.

However, does a covered entity whose patients are impacted by a breach
want to wait for as long as the full 60-day period? Probably not. That
is why so many BAAs will seek to have the business associate provide
notice of a breach anywhere from one to five days after the initial
discovery (although, like all of the items highlighted here, there are
always exceptions). What is reasonable will be up to the parties.

The real sticking points and obligations though arise from the
“extracurricular” type provisions that are not required by HIPAA. The
main examples are these provisions are indemnification, reimbursement,
audits and insurance.

Each of the above examples seeks to shift liability or responsibility
from the covered entity to the business associate, or provide
examination into the operations of the business associate.

Indemnification and reimbursement can feel like two sides of the same
coin. Put simply, indemnification tries to make one party whole by
requiring the other party to be responsible for all damages,
liabilities, and claims that could arise within the scope of the
indemnification. When it comes to BAAs, indemnification is often
stated to cover a breach of the BAA or a breach of protected health
information. Breaches of protected health information represent the
area where damages could potentially be quite high, especially
depending on the scope of what is included. If all damages,
liabilities and claims whether direct or indirect are included, then
arguably the business associate’s obligation could extend to any
matter connected to the breach.

Similarly, reimbursement seeks to obligate the business associate to
cover proven expenses incurred by the covered entity. Most often,
reimbursement is tied to responding to a breach, such as mailing,
credit monitoring or other quantifiable expenditures incurred in the
response. Reimbursement is likely more limited than broader
indemnification, but could still result in significant monetary

An audit provision may seek to let the covered entity review a
business associate’s operations, whether remotely or on site.
Regardless of the type, an audit can be potentially intrusive into a
business associate’s operations and could result in access to
information from other clients of the business associate.

The risks are not one-sided though. If a covered entity succeeds in
reserving the right to conduct an audit, will that right be used? What
if an issue arises that results in a breach that could have been found
by an audit, but no audit occurred? Arguably the Office for Civil
Rights could fault the covered entity for not being proactive enough
in its own defense. As such, an audit provision should be carefully

A key provision is insurance, which will try to state the types of
coverage to be held by the business associate and with what coverage
amounts. Requests for insurance most often will focus on general
liability, cyber liability and umbrella. The types are not usually up
for debate.

The bigger questions arise over the coverage limits. Covered entities
may want very high coverage because a breach will necessarily result
in significant costs, while the business associate will be weighing
the cost of obtaining against its revenues and number of clients.

Another issue to keep in mind is that a covered entity will not
receive the scope of protection it thinks unless it is the only client
of a particular business associate. Instead, all of a business
associate’s clients will be grabbing for proceeds from insurance in
the event of a coverable event, which will necessarily leave everyone
less than whole.

It’s clear that BAAs are not without questions and considerations. It
is helpful to be aware of these issues and to carefully review every
BAA before signing. No agreement should be signed without
understanding its implications.

More information about the BreachExchange mailing list