DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Business associate agreements, or BAAs, are legally binding contracts between covered entities and business associates. Business associate agreements are legally binding contracts between business associates and their business associate subcontractors as well.
What Language Must Be in a Business Associate Agreement?
The HIPAA Privacy Rule at 45 CFR 164.504(e)(2)(ii) sets forth the content that must be in a business associate agreement between a covered entity and a business associate. The business associate agreement must provide that the business associate will:
Not use or further disclose PHI other than as permitted or required by the
contract or as required by law.
Use appropriate safeguards and comply, where applicable, with the HIPAA Security Rule with respect to electronic protected health information (ePHI), to prevent use or disclosure of the ePHI other than as provided for by the BAA.
Report to the covered entity any use or disclosure of the information not provided for by the BAA that the business associate becomes aware of, including breaches of unsecured protected health information as required by the Breach Notification Rule.
Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information.
Make available protected health information in accordance with the Privacy Rule right of access provision.
Make available protected health information for amendment and incorporate any amendments to protected health information, in accordance with the Privacy Rule’s “Amendment to Protected Health Information” provision.
Make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule’s “Accounting of Disclosures” provision.
To the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of that obligation.
Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity available to the HHS Secretary for purposes of determining the covered entity's compliance with the Privacy Rule.
At the termination of the BAA, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information, or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.
Contracts between business associates and business associates that are subcontractors are
subject to these same requirements.
What if One of These Terms is Missing from the Agreement?
These above requirements for both covered entity/business associate agreements, and for business associate/business associate subcontractor agreements, are set by law. If one or more of the required terms is missing from the agreement, the business associate agreement does not contain all of the required content, and is therefore incomplete.
Say that a covered entity sends a business associate agreement to a prospective business associate for signature. For whatever reason, the language "Business associate will make protected health information available in accordance with the Privacy Rule right of access provision" is not in the agreement. Maybe the covered entity forgot to include the language. Maybe the covered entity believed (accurately or not) that its relationship with the business associate will never involve the business associate's playing a role in fulfilling the right of access request, and therefore believed the inclusion of the language was not necessary. It does not matter. The provision, "Business associate will make protected health information available in accordance with the Privacy Rule right of access provision," must be in the business associate agreement, regardless of whether an entity wants it to be there, and regardless of whether an entity thinks it should or must be there. The law says that the provision must be there, so it must be there.
What Content is Permitted to be in a Business Associate Agreement?
There is certain content that, while not required to be included in a business associate agreement (either a CE/BA agreement or a BA/BA subcontractor agreement), is permitted to be in the agreement. If a piece of content is permitted (but not required) to be in an agreement, the parties to the agreement negotiate over whether to include that content, and how exactly it should read.
Examples of permitted content include:
1. The business associate agreement (see provision #3 of 10 above) requires the BA to "report to the covered entity any use or disclosure of the information not provided for by the BAA that the business associate becomes aware of, including breaches of unsecured protected health information as required by the Breach Notification Rule." Under the breach notification rule, a business associate must provide notification of a breach of unsecured PHI to the covered entity "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." Can the parties agree to lengthen this time period - say, to a period of 120 days? No; the law requires up to sixty days. The parties can, however, agree to shorten to the 60-day period. A covered entity might want a lower number, especially because it has its own obligation to report breaches to individuals without unreasonable delay, and in no case later than 60 calendar days after discovery of a breach. A business associate may desire a number that is higher than the number that the covered entity wants. HIPAA does not dictate what the appropriate number is. If one or more parties wants to change the reporting period, the number of days a business associate has to report an incident is subject to negotiation between the parties. When negotiating a business associate agreement, one goal a party should have is to protect its organization. Note that this goal is not the same as arguing or "winning" on every point. In any negotiation, a party should, very generally speaking,
Be mindful of its bargaining power.
Be mindful of its market position.
Be realistic in what it can achieve.
2. Additional responsibilities on the part of the BA. A covered entity is permitted, but not required, to seek inclusion of the following provisions, when it is undisputed that the business associate caused the breach:
a. A provision requiring the business associate to take reasonable steps to mitigate any potential harm from the breach, including such steps as the covered entity "may reasonably require."
b. A provision including specific actions the business associate must take, such as an attempt to retrieve any lost or stolen information, or to operate (or arrange for) a call center through which affected individuals can have their questions answered.
c. A provision requiring the business associate to make its records, personnel, and advisors available to the covered entity for purposes of the covered entity completing its investigation of the breach.
d. A provision requiring the business associate to participate in an investigation by an Attorney General, the HHS Office for Civil Rights, or another state or federal agency.
e. A provision requiring that, if the investigation mentioned in (d) above is due to an act or omission of the business associate, the business associate's cooperation should be at its own cost and expense.
Inclusion of these terms, again, is not required by HIPAA. It is up to the parties to engage in negotiation over whether and which of the terms are to be included.
3. A provision requiring a business associate to make relevant books, records, and policies available to the covered entity on a confidential basis, to allow the covered entity to conduct "due diligence" on the business associate to verify the business associate's compliance with the business associate agreement or HIPAA.
Inclusion of this term is not required by HIPAA. The parties are free to negotiate over whether to include it. The covered entity has the right to propose the term, but cannot require the business associate to agree to it.
4. Indemnification language. HIPAA does not require that indemnification language be put into a business associate agreement. One or more parties may wish to include this language. Indemnification is the concept through which a party that is "at fault" makes the other party "whole" (pays for that other party's losses). For a breaching party to make someone whole is for the breaching party to pay the costs, expenses, fines, and losses that the non-breaching party incurs as a result of something the breaching party did or failed to do. Covered entities that want indemnification typically seek language to the effect of "Business Associate shall be responsible for all costs the covered entity incurs due to the business associate's breach or violation of the law, or of the business associate agreement." The term "costs" can include items such as attorney fees and costs of notification; a party insisting on an indemnification clause requiring responsibility for "costs" should define what the term "costs" means.
A common type of indemnification language is "mutual indemnification" language. Such language requires each party to indemnify the other for the first party's acts or omissions resulting in violation of HIPAA or of the business associate agreement. ("A agrees to indemnify B for B's costs, expenses, fines, and damages sustained as a result of A's violations; "B agrees to indemnify A for A's costs, expenses, fines, and damages sustained as a result of B's violations."). Mutual indemnification, generally, is more beneficial to the covered entity than to the business associate, because in a business associate relationship, the business associate is the party more likely to violate the agreement. Why? Because, generally, the business associate has more required obligations under the agreement than the covered entity has. Parties should have indemnification language and other proposed permitted reviewed by an attorney before trying to include the la gauge in the agreement.
5. Choice of law and venue. The business associate agreement may contain (but is not required to contain) language that dictates, in the event of a lawsuit, which court or court system (the court in which the CE resides, the court in which the BA resides, or a different court) will hear the lawsuit, and which state's or forum' law will apply to the dispute (e.g., the law of party X's state of residence, the law of party Y's state of residence, or some other law). Choice of law and venue are terms to be negotiated. Such terms need not be in a business associate agreement for the agreement to be valid and binding.
6. Insurance. A covered entity might want to include BAA language requiring the business associate agreement to maintain appropriate insurance to meet its indemnification obligations. Generally speaking, it is more important that a covered entity be able to include such language when the BA is a small, financially insecure business, than when the BA is a large, established company. When negotiating an insurance clause, the parties should consider the various types of insurance that exist. Traditional liability and malpractice clauses generally do not cover breaches of unsecured PHI. Cyber liability insurance is the type of insurance a party would want to require the other to carry to cover costs of that party's breach of unsecured PHI. The amount of insurance a party should seek depends upon the amount of PHI to be shared under the agreement, the risk profile of the agreement, and the bargaining positions of the parties. Again, insurance language is permitted and subject to negotiation. One party can insist on it; the other cannot be forced to accept it.
7. De-Identification of PHI. Many vendors want to de-identify the PHI they receive from a covered entity, to use for their own purposes - such as research or quality improvement. The parties are free to negotiate de-identification language. A covered entity can seek to include a provision that any de-identification be performed in accordance with HIPAA; can seek to require covered entity identifiers to also be removed; and can seek to hold the business associate responsible for improper de-identification.
8. Particular security safeguards. The parties may negotiate on the topic of what specific safeguards are to be used by the business associate. For example, the parties may negotiate over whether the business associate must mandate encryption when PHI is emailed or stored; over whether the business associate must require employees with access to PHI to enter into confidentiality agreements with the business associate; and over whether the BA must prohibit employee storage of PHI on personal devices.
9. Changes in law. HIPAA and its regulations are amended, revised, and re-interpreted by HHS. This means that an agreement that is legal on one day, may not be after changes in law have gone into effect. A covered entity, to address this concern, may therefore seek to include language reserving to it the right to amend the business associate agreement in the event of a change in law. The covered entity may choose to include language making this right to amend unilateral, or may choose to include language requiring that "change in law" amendments only can be made in consultation with the business associate. A covered entity may seek to include to a provision to the effect that failure to agree to a timely and satisfactory amendment would terminate the business associate agreement, and the underlying services agreement.
10. Issues of interpreting the agreement. The parties may seek to account for ambiguous agreement language. The parties may agree to add language to the effect of, "Any ambiguity in this Agreement shall be interpreted to permit compliance with the HIPAA Rules." This language is generally considered "neutral." (As opposed to language that favors one side; sic language, common in many contracts, requires that "Ambiguities in this agreement may be construed against its drafter." That language can create its own confusion, especially in instances where an agreement is jointly drafted).
What Language May Not be in a Business Associate Agreement?
Language that calls for or that will result in a violation of law should not be in a business associate agreement. For example, language to the effect that "covered entity shall be directly liable for a HIPAA violation even when HIPAA provides that the business associate is directly liable for such violation," violates HIPAA, which sets forth the circumstances under which a business associate is directly liable. Parties may not attempt to re-write HIPAA under the guise of a proposed language change.
DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only. Information in this or any Knowledge Base article, or on the Compliancy Group website, may not constitute the most up-to-date legal or other information. For specific guidance on business associate agreement drafting, please consult a knowledgeable healthcare attorney. This article may contain links to third-party websites. Such links are only for the convenience of authorized users of Compliancy Group's services.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article