Negotiating Business Associate Agreements - General Information

Modified on Tue, 15 Jul at 12:29 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Introduction

This article discusses the required components of a HIPAA business associate agreement. The article also discusses components of a business associate agreement that, while not required, frequently are used in the agreement. This article is not intended to provide, not does it provide, legal advice or legal services. Questions regarding the drafting, composition, and construction of business associate agreements should be directed toward a qualified attorney.


What are Business Associate Agreements?

Business associate agreements, or BAAs, are legally binding contracts between covered entities and business associates. Business associate agreements are legally binding contracts between business associates and their business associate subcontractors as well.

What Language Must Be in a Business Associate Agreement?

The HIPAA Privacy Rule at 45 CFR 164.504(e)(2)(ii) sets forth the content that must be in a business associate agreement between a covered entity and a business associate. The business associate agreement must provide that the business associate will:


        1.  Not use or further disclose PHI other than as permitted or required by the contract or as 

             required by law.

        2.  Use appropriate safeguards and comply, where applicable, with the HIPAA Security Rule  

             with respect to electronic protected health information (ePHI), to prevent use or disclosure of 

             the ePHI other than as provided for by the BAA.

        3.  Report to the covered entity any use or disclosure of the information not provided for by the 

             BAA that the business associate becomes aware of, including breaches of unsecured 

             protected health information as required by the Breach Notification Rule.

Business associate agreements must also provide that the business associate will:


  • Ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  • Make available protected health information in accordance with the HIPAA Privacy Rule right of access provision.
  • Make available protected health information for amendment and incorporate any amendments to protected health information, in accordance with the Privacy Rule’s “Amendment to Protected Health Information” provision.
  • Make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule’s “Accounting of Disclosures” provision. 
  • To the extent the business associate is to carry out a covered entity's obligation under the Privacy Rule, comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of that obligation.   
  • Make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by the business associate on behalf of, the covered entity available to the HHS Secretary for purposes of determining the covered entity's compliance with the Privacy Rule.  
  • At the termination of the BAA, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information, or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.


What Language is Permitted to be in a Business Associate Agreement?


There is certain language that, while not required to be included in a business associate agreement (either a CE/BA agreement or a BA/BA subcontractor agreement), is permitted to be in the agreement. If a piece of content is permitted (but not required) to be in an agreement, then, in general, the parties to the agreement negotiate over whether to include that content, and how exactly it should read.

Examples of permitted language include:

1. Breach reporting time period langauge. The business associate agreement (see provision #3 of 10 above) requires the BA to "report to the covered entity any use or disclosure of the information not provided for by the BAA that the business associate becomes aware of, including breaches of unsecured protected health information as required by the Breach Notification Rule." 

Under the breach notification rule, a business associate must provide notification of a breach of unsecured PHI to the covered entity "without unreasonable delay and in no case later than 60 calendar days after discovery of a breach."  Can the parties agree to lengthen this time period - say, to a period of 120 days? No; the law requires up to sixty days. The parties can, however, agree to shorten to the 60-day period. A covered entity might want a lower number, especially because it has its own obligation to report breaches to individuals without unreasonable delay, and in no case later than 60 calendar days after discovery of a breach.  A business associate may desire a number that is higher than the number that the covered entity wants. 

HIPAA does not dictate what the appropriate number, as among the parties, is or should be. If one or more parties wants to change the reporting period, the number of days a business associate has to report an incident is subject to negotiation between the parties. 

2. Indemnification language. HIPAA does not require that indemnification language be put into a business associate agreement. One or more parties may wish to include this language. 

Indemnification is the act of compensating a person or entity for damages or losses that person or entity has incurred or will incur related to a specified incident, or event. An indemnification agreement is a written agreement in which one party (indemnitor) promises to indemnify the other party (indemnitee) for specific losses or damages. 


Covered entities that desire indemnification from a business associate typically seek language to the effect of "Business Associate shall be responsible for all costs the covered entity incurs due to the business associate's breach or violation of the law, or of the business associate agreement."  The term "costs" can include items such as attorney fees and costs of notification; a party insisting on an indemnification clause requiring responsibility for "costs" should define what the term "costs" means. Conversely, a business associate may desire indemnification from a covered entity for the business associate's losses, and may seek similar language requiring the covered entity to be responsible for incurring costs due to its  breach or violation of law or the business associate agreement. 

A common type of indemnification language is "mutual indemnification" language. Such language requires each party to indemnify the other for the first party's acts or omissions resulting in violation of HIPAA or of the business associate agreement.  ("A agrees to indemnify B for B's costs, expenses, fines, and damages sustained as a result of A's violations; "B agrees to indemnify A for A's costs, expenses, fines, and damages sustained as a result of B's violations."). 

Parties should seek attorney review of proposed indemnification language.

3. Choice of law and venue language. The business associate agreement may contain (but is not required to contain) language that dictates, in the event of a lawsuit, which forum or venue (e.g., "state courts of New York"; "state courts of Suffolk County, New York") will hear the lawsuit. Often times, the covered entity will prefer its state as the venue, and the business associate will prefer its state. The agreement may also contain language about "choice of law" - that is, in the event of a dispute, what state's law will apply to a dispute?  Choice of law and venue are terms to be negotiated.  Such terms need not be in a business associate agreement for the agreement to be valid and binding.

4. Insurance language. A covered entity might want to include BAA language requiring the business associate agreement to maintain specified insurance, such as cyber liability insurance. Commonly, this language references an indemnification obligation. For example, a covered entity may seek language requiring a business associate to maintain specific insurance(s) at a specific monetary level(s) "sufficient to meet its indemnification obligations under the business associate agreement." 

Insurance language is permitted and subject to negotiation. 


5. Particular security safeguards language. The parties may negotiate on the topic of what specific security safeguards are to be used by the business associate in the performance of the business associate agreement. For example, the parties may negotiate over whether the business associate must mandate a certain level and type of encryption when PHI is emailed or stored; over whether the business associate must require employees with access to PHI to enter into confidentiality agreements with the business associate; and over whether the BA must prohibit employee storage of PHI on personal devices.


DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  Information in this or any Knowledge Base article, or on the Compliancy Group website, may not constitute the most up-to-date legal or other information. For specific guidance on business associate agreement drafting, please consult a knowledgeable healthcare attorney. This article may contain links to third-party websites.  Such links are only for the convenience of authorized users of Compliancy Group's services.

 



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article