By Katea Ravega, Attorney at Quarles & Brady LLP
Know your role and know your goals! The strategy behind negotiating a Business Associate Agreement (BAA) changes dramatically depending on whether you are a business associate or a covered entity under HIPAA. HIPAA and its implementing regulations impose a variety of legal requirements on covered entities and business associates, including certain provisions that must be included in the BAA.
While the legally required content is not negotiable, many other factors are – resulting in a battle of the BAAs. Penalties have increased, and business associates are now directly liable under HIPAA, so business associates and covered entities approach the BAA battle with more vigor and very different goals. Three areas posing significant challenges in these negotiations are (1) audits; (2) reimbursement for breach-related costs; and (3) which entity’s notification preferences and policies will control in the event of a conflict.
1. Audits, Or Access To Books And Records
A BAA must require the business associate to allow the Secretary of the Department of Health and Human Services access to the business associate’s records in order for the Secretary to assess the covered entity’s compliance.
In the wake of HITECH, covered entities attempt to expand this provision to allow the covered entities themselves to access the business associate’s books and records. Although this is not legally required, adding such a provision to the BAA is sometimes sought in order to give the covered entity additional opportunity to evaluate the business associate’s compliance and security measures.
In contrast, business associates often push back on audit rights for a covered entity. Allowing each covered entity to access the business associate’s books and records can be time consuming and can increase operational costs. If business associates agree to allow such access, they probably will want to impose limits, such as: (1) requiring that the covered entity to sign a nondisclosure agreement prior to accessing the records; (2) limiting the number or frequency of audits; or (3) requiring the covered entity to pay costs associated with the audit.
2. Paying For Costs Of A Breach
HIPAA is silent regarding which party bears the costs associated with a breach, and does not require this to be addressed in the BAA. In addition to potential government penalties, the parties face overwhelming costs in managing breaches, such as investigation (potentially including forensic analysis); legal fees; notification to affected individuals, the media, and the government; and credit monitoring or other mitigation.
As a safeguard against this exposure, many covered entities seek indemnification provisions in a BAA, or request that a business associate be responsible for specified costs in the event the business associate causes a breach. Business associates often resist indemnification or liquidated damage provisions, relying instead on applicable law or the underlying service agreement. Sometimes business associates may agree to pay specified costs up to a pre-determined liability cap.
It is also acceptable for the BAA to remain silent on the allocation of costs. If the parties do agree to such provisions, the indemnitor should verify with its insurer that there is not a coverage exclusion for contractually incurred liability.
3. Complying With The Other Party’s Notice Timing & Policies
HIPAA allows up to 60 days to provide notice to affected individuals of an unauthorized use or disclosure (including breaches), and some states have shorter timelines that must be met. There is no requirement, however, specifying when a business associate has to notify a covered entity of a suspected or confirmed breach. As a result, it is common for the parties to battle over the timing of a report.
The covered entity will seek a shorter notification period, especially if there is a risk that the business associate will be viewed as an “agent”; in that case, the covered entity’s notice obligation may begin when the business associate discovers an incident. The business associate will battle for a longer period of time to complete its investigation before reporting. There is no correct answer, as long as the time is within the reporting requirements under applicable laws.
A more general issue is that a BAA may require the business associate to comply with the covered entity’s HIPAA policies.
Although not required by HIPAA, this gives covered entities some reassurances on how their data is safeguarded. Business associates will often resist a blanket obligation to comply with policies, particularly those that work with many different covered entities. From an operational standpoint, this would be difficult, and may not provide much additional protection now that business associates are required to have policies of their own.
4. Practical Take-Aways
Before you charge into battle, (1) know which provisions are required by law, (2) know your goals for provisions that are not legally required, and (3) prioritize based on whether you are the covered entity or the business associate.