By Kate Hickner
No one loves drafting, reading or negotiating HIPAA Business Associate Agreements (BAAs). Yet many of us need to do so, and some of us do so daily.
They are often boring, dense and technical, but BAAs are important from both a legal and a business perspective, and they deserve our attention. Failure to enter a BAA when one is required can constitute a HIPAA violation that results in substantial liability, as demonstrated by certain recent Department of Health & Human Services (HHS) settlements.1 A business associate who makes a disclosure that is not authorized by the applicable BAA or required by law can be subject to civil and, in some cases, criminal penalties. Further, parties are often presented with BAAs that contain onerous one-sided indemnification and other provisions that can be devastating to an organization in the event of a HIPAA breach.
The significance of a BAA is often not fully understood by the parties until something goes wrong (e.g., a HIPAA security incident or breach, an Office of Civil Rights (OCR) audit or a fracture in the relationship between the parties) and, at that point, there is limited opportunity to mitigate legal and business risk. Ideally, attention should be given at the commencement of the business associate relationship, when the parties are able, to thoughtfully addressing regulatory requirements, planning and preparing for potential adverse events and appropriately allocating risk among the parties. As with most healthcare regulatory compliance initiatives, a proactive approach with respect to BAAs is preferable.
This article provides a broad overview of certain BAA requirements and some practical negotiating tips for the parties involved.
What Are HIPAA BAAs and When Are They Required?
Simply stated, HIPAA BAAs are legal contracts that are required by applicable federal law, specifically HIPAA,2 under certain circumstances to further ensure that the parties will protect the privacy and security of protected health information (PHI) as defined by HIPAA.3 More specifically, HIPAA generally requires that covered entities enter BAAs when they engage a business associate to assist with healthcare activities and functions.4 HIPAA business associates must also enter BAAs with their subcontractors who constitute business associates. BAAs must be entered on or before the time when the business associate commences services for or on behalf of the HIPAA-covered entity or business associate.
Before entering a BAA, it is important to confirm that a HIPAA business associate relationship actually exists and that the BAA is truly required. Otherwise, the parties are assuming unnecessary and undesirable liability. Healthcare attorneys are able to structure relationships that do not require BAAs.
HIPAA regulations require each BAA to contain certain elements. The parties often also include additional optional provisions to govern their relationship and allocate risk. These required provisions and many of the other common provisions are further described below. The federal government has promulgated language that provides a good example of typical BAA provisions.5
Who Are the Parties to a BAA?
As described above, BAAs are entered between HIPAA-covered entities and HIPAA business associates. They are also entered between HIPAA business associates and their subcontractors (who are also consultants HIPAA business associates under the HIPAA regulations). Although three-party agreements are not required by the regulations, sometimes covered entities will require the subcontractors of their business associates to enter three-party agreements to create privity of contract between the covered entity, the business associate and the business associate’s subcontractor.
For purposes of HIPAA, the terms “covered entity” and “business associate” each have a specific regulatory definition and meaning.6
Simply stated, HIPAA covered entities are: (a) healthcare providers that electronically transmit certain transactions for which the federal government has adopted a standard, (b) health plans and (c) healthcare clearinghouses. Each of these terms is further defined in the HIPAA regulations. The federal government has promulgated a tool to assist in determining whether an organization or individual is a covered entity.7
Also broadly summarized, a “business associate” is a person who either: (a) creates, receives, maintains or transmits PHI on behalf of a covered entity for certain functions or activities such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, certain patient safety activities, billing, benefit management, practice management and repricing; or (b) provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for such covered entity where the provision of the service involves the disclosure of PHI.
Subcontractors that create, receive, maintain or transmit PHI on behalf of a business associate are themselves business associates for purposes of HIPAA.
A covered entity may be a business associate of another covered entity. That being said, it is important to note that disclosure by a covered entity of PHI to a healthcare provider for treatment purposes does not result in such receiving party being a business associate of the disclosing party.
It is also important to note that the term “business associate” does not include those engaging in such activity as a member of the covered entity’s workforce. For this purpose, a covered entity’s workforce means employees, volunteers, trainees and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate. Covered entities sometimes structure their relationships with individuals and organizations to satisfy this workforce exception and avoid HIPAA business associate requirements, including BAA requirements.
The HIPAA regulations and the OCR website also include numerous examples of entities that are or are not business associates.89
What Provisions Are Required to Be Included in BAAs?
HIPAA requires that all BAAs include certain required provisions. Broadly summarized, BAAs must do each of the following:
- Permitted Uses. Establish the permitted and required uses and disclosures of PHI by the business associate. This could be done through reference to an underlying services agreement.
- Use by Business Associate. Not authorize the business associate to use or further disclose PHI in a manner that would violate the requirements of the HIPAA Privacy Rule,9 if done by the covered entity (except to the extent permitted in the BAA with respect to certain data aggregation services or certain management and administration activities).
- Limitations on Use and Disclosure. Provide that the business associate will not use or further disclose PHI other than as permitted or required by the underlying contract or as required by law.
- Safeguards. Provide that the business associate will use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by its contract.
- Compliance with HIPAA Security Rule. Provide that the business associate will comply, where applicable, with the HIPAA Security Rule10 with respect to electronic PHI, to prevent use or disclosure of the information other than as provided for by its contract.
- Report of Unauthorized Uses and Disclosures. Provide that the business associate will report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware.
- Report of Security Incidents. Provide that the business associate will report to the covered entity any security incident of which it becomes aware.
- Breach Notification. Provide that the business associate will timely notify the covered entity of any breaches of unsecured PHI as required by the HIPAA Breach Notification Rule.11
- Agreements with Subcontractors. Provide that the business associate will ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the business associate agree to the same restrictions, conditions and requirements that apply to the business associate with respect to such information and agree to comply with the applicable requirements of the HIPAA Security Rule by entering into a contract or other arrangement that complies with HIPAA.
- Access to PHI. Provide that the business associate will make available PHI in accordance with the Privacy Rule.12
- Amendments to PHI. Provide that the business associate will make available PHI for amendment and incorporate any amendments to PHI in accordance with the Privacy Rule.13
- Accounting of Disclosures. Provide that the business associate will make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule.14
- Delegation of Covered Entity’s Duties. Provide that the business associate will, to the extent the business associate is to carry out a covered entity’s obligation under the HIPAA Privacy Rule, comply with the requirements of the HIPAA Privacy Rule that apply to the covered entity in the performance of such obligation.
- Records to Secretary. Provide that the business associate will make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary of Health and Human Services for purposes of determining the covered entity’s compliance with the HIPAA Privacy Rule.
- Return or Destroy PHI at Termination. Provide that the business associate will, at termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
- Termination Provisions. Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. Note that the Agreement may provide the business associate with a reasonable opportunity to cure the breach.
What Are Some of the Non-Required Provisions Often Incorporated Into BAAs?
In addition to provisions explicitly required by HIPAA as described above, BAAs also often include additional provisions that may or may not be desirable, including, for example, the following:
Management and Administration. HIPAA explicitly permits BAAs to include the following three provisions, which are often very important for business associates:
- Use for Management and Administration or Legal Responsibilities. The BAA may permit the business associate to use the PHI received by the business associate in its capacity as a business associate to the covered entity, if necessary: (a) for the proper management and administration of the business associate; or (b) to carry out the legal responsibilities of the business associate.
- Disclosure for Management and Administration or Legal Responsibilities. The BAA may permit the business associate to disclose the PHI received by the business associate in its capacity as a business associate for the purposes described immediately above if: (a) the disclosure is required by law; or (b) (1) the business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and (2) the person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.
- Data Aggregation. The BAA may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
- Indemnification. Perhaps the most heavily negotiated language of most BAAs is the indemnification language. This is because there is substantial potential liability in the event that a HIPAA breach occurs and the parties have a desire to allocate risk among themselves with respect to such potential liability in a manner that is to their advantage. In most cases, the covered entities have an interest in imposing very broad indemnification obligations on the business associate, which may include, for example, responsibility for any HIPAA security incident or breach that occurs while the PHI is in the possession or under the control of the business associate or its subcontractors, and any violation of the BAA, negligence or violation of applicable law by the business associate. The business associate has an interest in avoiding or significantly limiting any indemnification obligations. There are a wide range of potential compromise positions available to ensure that both parties are adequately and appropriately protected. Because of the potential liability exposure in this context, the parties often negotiate caps to indemnification obligations, which may be tied to insurance coverage or the revenue paid pursuant to the underlying agreement.
- Insurance Coverage. In addition to including indemnification obligations, the covered entities also often mitigate risk by requiring the business associate to procure and maintain cyber liability insurance coverage with specified limits. The covered entity also often desires the business associate to list the covered entity as an additional insured and to agree that the covered entity will receive notice prior to termination of the policies.
- Other Privacy Laws and Requirements. Many BAAs include certain state-specific requirements related to PHI and other personal information, as well as requirements that address other applicable federal privacy laws that may apply. HIPAA sets a minimum floor for the privacy and security of PHI but other, more stringent state and federal laws may also apply.
- Timeframes. BAAs often include provisions related to notice and timing requirements that are more stringent than those required under HIPAA. Before agreeing to proposed timeframes for taking action, it is imperative to consider whether the timeframes are actually achievable. Those negotiating BAAs should be careful not to set their organizations up for an unavoidable breach of the BAA.
- Other Miscellaneous Provisions. Numerous other provisions may also be included that are either favorable to the covered entity or favorable to the business associate. For example, a business associate may want to clarify that it can de-identify PHI, hold all ownership rights with respect to such de-identified information and use it to the extent permitted by law. A business associate may want to require the covered entities to provide the business associate with notice of limitations in the notice of privacy practices and patient restrictions. The business associate may want the covered entity to verify that the covered entity has a right to share all information that it does share with the business associate and that all necessary authorizations have been received. Covered entities may want to prohibit business associates from using PHI offshore and may want to clarify that the business associate is an independent contractor and not an agent. They may also want the business associate to adhere to the covered entity’s minimum necessary policies and procedures and provide the covered entity with certain audit and inspection rights. Whether these types of provisions are appropriate and ultimately incorporated into the BAA should depend on the specific circumstances of and relationship between the parties, and will also depend on each party’s negotiating leverage.
Because BAAs often include provisions that are not formally required from a compliance perspective and potentially undesirable from a legal and business perspective, organizations frequently develop standard pre-approved template BAAs for use, when required. When an organization is required to use a form other than its own template or when the other party requests changes to the template language, it is advisable to have those changes reviewed by legal counsel. This is true not only because of the technical nature of the BAA requirements, but also because of the significant legal and business risks facing healthcare providers with respect to health information data privacy and security.
As described above, although entering BAAs has become routine for many HIPAA-covered entities and business associates, such contracts must be taken seriously. Paying careful attention to HIPAA BAA provisions and related compliance obligations at the commencement of a relationship can avoid substantial legal and financial challenges in the future.
1 See in particular the recent settlements involving The Center for Children’s Digestive Health, Care New England Health System and Raleigh Orthopaedic Clinic, P.A. of North Carolina. https://www.hhs.gov/hipaa/newsroom/index.html?language=es.
2 For purposes of this article, “HIPAA” refers to the Health Insurance Portability and Accountability Act of 1996, and any amendments or implementing regulations (inclusive of the Privacy, Security, Breach Notification, and Enforcement Rules at 45 C.F.R. Part 160 and 164).
3 See 45 CFR 160.103 and 45 CFR 164.502.
4 45 CFR 164.504.
6 45 CFR 160.103.
8 See 45 CFR 160.103. See also https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html andhttps://www.hhs.gov/hipaa/for-professionals/faq/business-associates.
9 Title 45, Chapter 164, Subpart E of the Code of Federal Regulations.
10 Title 45, Chapter 164, Subpart C of the Code of Federal Regulations.
11 Title 45, Chapter 164, Subpart D of the Code of Federal Regulations.
12 See 45 CFR 164.524.
13 See 45 CFR 164.526.
14 See 45 CFR 164.528.
KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.