By Shalyn Watkins
Signing a Business Associate Agreement (BAA) is a standard practice for most healthcare providers and businesses. The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities, business associates and downstream business associate subcontractors enter into a BAA when contracting for services that require the sharing of Protected Health Information (PHI) outside the organization. However, it is a common misconception that the agreements are boilerplate. Some parties either fail to read and negotiate the terms of the BAA or, worse, forego executing the agreement altogether. This is not an advisable practice, however, because BAAs are critically important and can make or break a compliance program if they are not taken seriously.
Though BAAs may appear to be standard attachments to service agreements, they are not standard boilerplate, and therefore require careful review and consideration. This article will highlight five key things that parties should consider when negotiating a BAA.
1. Make Certain Your BAA Is Compliant – and That You Have One
Many parties fail to comply to the basic formalities required under HIPAA even though the requirements for BAAs are defined in federal regulations. Standard confidentiality agreements or nondisclosure agreements do not meet these requirements. The failure to execute a BAA can be a HIPAA violation that results in severe monetary fines. Disclosure of PHI in the absence of an executed BAA is an impermissible disclosure and potentially a HIPAA breach requiring notice.
2. Clarify Unclear Reporting Obligations
Some BAAs attempt to pass the covered entity's obligation to report breaches to the business associate. This delegation is permissible under HIPAA, but sometimes the business associate is not in the ideal position to notify the required parties. It is important that business associates accepting this responsibility clarify their reporting obligations and ensure they have the infrastructure to report breaches to individuals, the Secretary of the U.S. Department of Health and Human Services (HHS) and the media when required by law. The HHS Office of Civil Rights (OCR) has been clear that covered entities are ultimately responsible for ensuring that notice is provided in compliance with the breach notification regulations in HIPAA, but failure to perform the delegated notifications may create distrust between the parties and could result in the termination of the underlying Service Agreement.
3. Beware of Outdated Agreements
Some parties have not updated their BAAs as changes to HIPAA occur. If, for example, a form agreement was originally drafted before 2013, it would not address the Health Information Technology for Economic and Clinical Health (HITECH) Act omnibus rule promulgated that year. That old agreement would be missing the amended definition of a breach and probably would not address the risks related to operations of parties in 2024. Furthermore, because OCR continues to promulgate new laws and regulations, BAAs and HIPAA policies and procedures can require frequent updating.
4. Make Sure Restrictive Agreements Aren't Too Restrictive
HIPAA does not restrict parties from including terms in their BAAs that fall outside of the items required under the regulation. Accordingly, it is prudent that business associates read the additional provisions carefully and ensure they are not overly restrictive. The permitted conduct section of the BAA limits the business associate's ability to use or disclose PHI for only the purposes allowed in the agreement; but if that section does not address conduct that is necessary for performing the services in the Service Agreement, the business associate may be too restricted and incapable of providing services to the covered entity without violating HIPAA. The terms of a BAA should be drafted carefully to ensure sufficient permissions for a business associate to perform services required under the contract.
5. Avoid Unrealistic Reporting Times
Business associates may not immediately be aware of security incidents when they occur. Especially when the business associate works with independent contractors and parties outside its organization, the business associate has less control and insight into the occurrence of security incidents and breaches. But if the BAA requires notification within just a few days of the incident's occurrence, the business associate is more likely to be in breach of the BAA when it cannot timely report the incident to the covered entity. This impossible situation could be avoided if the business associate reads and negotiates the reporting time obligations in the BAA. Although it is understandable that reporting must occur relatively quickly so the covered entity can assess whether a breach has occurred, business associates can request reasonable timing for reporting incidents at the outset.
Importantly, HIPAA permits the addition of other terms that are not inconsistent with the regulation. Provisions addressing indemnification, injunctive relief, relationship to state privacy laws and other federal laws – such as Part 2 Privacy and Cures Act information blocking, along with other terms – may be included within the agreement. The terms of these agreements can make or break a party's privacy compliance program and should be treated as important topics of negotiation. Though this list is not exhaustive, it represents five of the biggest considerations for parties when entering into BAAs.
Shalyn Watkins, an associate in the Los Angeles office of Holland & Knight, is a graduate of the University of Alabama School of Law who is still licensed in Alabama and has practiced for a number of years in Birmingham.