Content of a BAA Q & A

Q & A: Appreciating the Content of a Business Associate Agreement

Rachel V. Rose, JD, MBA, principal with Rachel V. Rose – Attorney at Law, P.L.L.C., Houston, TX, has a unique background, having worked in many different facets of healthcare, securities, cybersecurity, as well as international law and business throughout her career. Her practice focuses on a variety of cybersecurity, health care and securities law issues related to industry compliance and transactional work, as well as representing plaintiffs in Dodd-Frank/False Claims Act whistleblower claims. As a member of the First Healthcare Compliance Editorial Council, Rachel is a frequent presenter at educational events.  For more information regarding this topic please view a related webinar for further discussion and learning.

Below, Rachel answers some common questions and provides explanations of a few timely topics related to the education surrounding business associate agreements.

Could you give us an overview of what a BA or Business Associate Agreement is and who or what it involves?

Absolutely. And not surprisingly, that is a very detailed question. A business associate agreement, which is referred to in 45CFR160.504.E as a business associate contract is just that – it’s an agreement between two parties to do three primary things: first, ensure that both parties are utilizing the appropriate technical, administrative and physical safeguards in order to ensure that the confidentiality, integrity and availability of the protected health information remains intact. Additionally, it relates to the Privacy Rule, the entire security role and the breach notification rules being adhered to. The second element that always jumps out at me is the notification to the other party and then potentially, to HHS patients and the media in breaches of 500 or more individuals, and making sure that the parties designate the timeline that party, typically the party who’s the breach occurred on tells party B about this and then what transpires after that. The last main requirement or part of a business associate agreement is what to do when the relationship between the parties terminates. Now, that might seem simple, oh, I just need to either return and or destroy the data in a manner that complies with the HIPAA Security Rule, and preferably with NIST, that’s part of it. But as we all know, there are situations where we can’t just return or destroy information. Some of those may be obligations of a legal hold, or a government investigation or a lawsuit that might be in play. All of those are issues that are very, very important to appreciate. 

Now, having said that, your first question was really who does it apply to and under federal HIPAA, it applies to covered entities, which are healthcare providers, health care, claims, clearing houses, and insurance companies, and then their business associates, and then a subcontractor of that business associate. The easiest way to think about this is a straight line where you have a circle that says covered entity and then a line and then a circle that says business associate and then a line and then a circle that says subcontractor. And on that line, you should be thinking if I am A or B, or B or C, I need to make sure I have a business associate agreement in place because there is some type of agreement to create, retain or maintain, receive, or transmit protected health information. Those are the entities to whom it applies. 

Having said that a lot of state laws such as Texas House Bill 300 may have differing definitions of a covered entity. And in Texas, we have one definition and a covered entity covers. Any person who creates receives, maintains or transmits protected health information. Therefore, it’s prudent for any entity in Texas to make sure that they have the appropriate business associate agreement in place that also references the Texas Health and Safety Code as well as the Texas Business and Commerce code.

What is the primary purpose of a BAA?

As I mentioned, there are typically three main areas. But first and foremost, when you think of any contract, first, you need to define who the parties are at the very top, and which one assumes what role, whether it’s a covered entity in business associate or business associates and subcontractor. All of that is exceptionally important. So just something to be conscientious about there. Then you delve into the three overarching areas or purposes behind the Business Associate Agreement to ascertain that both parties each have been given reasonable assurances that the technical, administrative, and Physical Safeguards, as well as the privacy rule, security rule and Breach Notification Rule, and compliance and requirements are being met. 

Another item that relates to that now is the 21st Century Cures Act in the ability to give patients their medical records in formats such as smartphone apps that weren’t necessarily available before but along with that related to information blocking, are situations where a provider or a business associate may say, what the general rule is that we have to provide this, but this is not an app that is secure or that we’re familiar with and for the safety of the entity and for structure, we’re not going to provide that. So it’s important now to reference state laws and other relevant laws such as a 21st Century Cures Act. 

The next main area, has to do with notification to the other party if you have a reportable cyber security incident, typically known as a breach, in accordance with the Breach Notification Rule. And there are really two steps to that. First, you want to have a timeframe set out between the parties as to when party A, if they’re the breaching party, has to notify party B, that there has been a breach. That’s important because their IT department needs to take appropriate steps in order to safeguard certain things or go to plan B to go to backups. So it’s really mutual in nature along those lines. And then the second part of a reportable breach would then be under the Breach Notification Rule, to report to HHS to report to the patients and to report to the media if the breach itself affects 500 individuals or more.

Can you explain reasonable assurances in relation to business associate agreements and HIPAA?

Reasonable assurances in HIPAA is the first part of the business associate aid agreement. Both parties, giving assurances that they meet the technical, administrative and physical safeguards in order to ensure the confidentiality, integrity and availability of the data. What would give someone peace of mind and also give them something legally, that they could say, what we know that we do not have a right to go in and inspect everything. I have seen situations where, given the size of the contract, or the particular service that was at stake, sometimes, one entity will agree to let another entity come on site and view their operations, which is only one part of that. What I do is I have my clients get a signature on an attestation. And the purpose behind it is that these reasonable assurances are being provided in order to give peace of mind that the party is adhering to the requirements of HIPAA in the HITECH Act. And if people can answer these five questions in earnest, you should walk away with a good feeling that they’re doing everything that needs to be done. The first question is, does the party undergo an annual risk analysis that is comprehensive? Second, do they train their workforce annually? Third is PHSI insensitive PII encrypted both at rest and in transit? Fourth, are business associate agreements in place, and are they recorded? And lastly, are policies and procedures at least reviewed annually, and are they comprehensive? So with that, that is a how I define and think of a reasonable assurance? And secondly, how I advise my clients to protect themselves. And then lastly, the types of reasonable assurances are those five that I honed in on?

What are indemnification provisions and what language should be used in indemnification provisions?

It’s typically thought of as a contractual obligation of one party to compensate the loss incurred to the other party, due to certain acts of the indemnitor or any other party, the duty to indemnify is usually but not always, coexisting with the contractual duty to hold harmless or safe, harmless. So, let’s step back for a moment. So typically, first, before you draft an indemnification provision, you want to make sure that you have an appreciation of a variety of different state laws, whether it is derived from common law, or whether it is like California set forth in a statute. Typically, the way a lot of indemnification provisions are written are to indemnify defend and hold harmless. And if you don’t have that exact language, depending on the jurisdiction that you’re in, you may or may not have to defend someone and pay for those costs. 

You asked me how I would draft one of these. And it’s so specific to the facts and circumstances in general that I’m trepidatious just to throw out any language surrounding that, but I will say that it’s important to appreciate the significance of an indemnification provision and some indemnification provisions. I read and I’m like, “Oh my gosh, I would not advise anyone to sign that it’s because it’s so one sided, that only one party is held harmless.’ And in the event of a breach regardless of whether or not for example, a business associate cause the breach some of these endemic indemnification provisions read that the business associate is responsible for all of the costs. So that should be one of the provisions that any person reads very, very carefully, because it could contradict with your other contracts that you have in place. 

B, you could be shouldering all of the liability even if you’re not responsible for the breach or the bad act. When I write them, I typically make them mutual that if one is being indemnified, the other one’s going to indemnify if they’re at fault. So mutual defend is the key term that I discuss with the party. And typically, the party will go back to the other entity if they are in a negotiation. And oftentimes, they’ll say, “You know what, we’ll just agree to be responsible for our own attorneys fees on this.” So that’s what will happen there. 

And then the last part of that, that something I’ve been doing for a few years now, is to really carve out and there, there are two schools of thought on this. But when I carve out specific indemnification provisions related to a breach, it’s the breaching party has the obligation to pay for the notification to government entities, to the media into the individual patients. But that’s where the liability and so there’s no payment of attorney’s fees, there’s no payment of ransomware. There’s no paying for a deductible on an insurance policy or anything like that. What my clients and actually when I’ve been on the phone with opposing parties as well, what they’ve said is that we like this, because we know upfront what we’re responsible for, and it’s limited to this, and it’s balanced for both of us. 

There’s no cookie cutter way to draft an indemnification provision, you just have to literally take it word by word with the parties that you’re dealing with.

Did you have any other thoughts that you wanted to share with us concerning BAAs?

Just be aware that BAs are not cookie cutter, however, there are certain terms and certain provisions, which you’ll see over and over again. And that’s because they’re required by the statute and then recommended by HHS on their website.