Avoid these pitfalls and use common sense when handling business associate
agreements
By Edward F. Shay
Most covered entities are coming to terms with their obligation to modify agreements
with business associates to obtain necessary assurances that the business associates will
abide by the HIPAA privacy rule. When HHS published the proposed revisions to the
final privacy rule in March 2002, it included in the preamble a model business associate
agreement. The model had advantages and disadvantages. The primary advantage was
that it creates a reasonably balanced form against which providers could measure their
forms.
However, there are portions of the federal model that went beyond the scope of the
privacy rule and created obligations that did not exist as a matter of law. For example,
nothing in the privacy rule requires that a business associate make its books and records
available to the covered entity as well as HHS. However, the model included language to
that effect. As the American Hospital Association pointed out in its comment on the
model agreement, subtle ties between a covered entity and a business associate like these
could strengthen an allegation that the provider is legally liable for the otherwise
independent acts of its business associates.
In the August 14, 2002 final amendment to the privacy rule, HHS retained the model, but
renamed it the “sample,” and removed some of the phrases that exceeded the scope of the
privacy rule.
In addition, the August amendment provided a one-time transition extension in the
compliance date for agreements with business associates that existed before October 15,
2002, the effective date of the August amendment. These existing agreements must
conform to the requirements of the amended privacy rule by April 14, 2004, rather than
April 14, 2003—the overall compliance date.
The amendment gives covered entities valuable guidance for agreement language.
Notwithstanding this clearer climate, covered entities will benefit from a few more
practical lessons about dealing with business associates.
Use the extension effectively
Early in the compliance process, many covered entities assumed that they could get
associates to sign a short form of addendum and rely upon that to check off “business
associate agreements” on their compliance “to-do” list. Since then, covered entities have
spent a lot of time and energy identifying business associates and revising written
agreements with them. The task of renegotiating agreements has proven challenging. In
many instances, vendors and covered entities have found themselves locked in the
proverbial battle of the forms. With the extension afforded by the August amendment,
now is a good time for covered entities to reassess how they approach the process of
revising their business associate relationships.
Keep proportion in mind
The hard reality of business associate agreements is that one size does not fit all. A
software vendor whose “use” of PHI is incidental to modem access for service support of
a provider’s clinical information system does not need to give ironclad assurance that it
will provide information for future accountings. There should be no designated record
sets in the vendor’s possession and no need for this assurance. Rather than arm-wrestle
every vendor, think about making your business associate agreements flexible and in
proportion to the uses and disclosures involved. Try starting with a form—perhaps the
federal sample form—and develop a series of two or three forms for different classes of
relationships. This way, a modest software service agreement would require far fewer
assurances than a full-blown data outsourcing alliance.
Clearly state uses and disclosures
Getting the right protection requires an agreement that clearly states the specific agreedupon uses and disclosures of PHI. Too often, agreements speak in terms of general
obligations and undertakings. When changing a business associate agreement to comply
with HIPAA, it is extremely important to question workforce members with direct
involvement in the covered activity. The reality of day-to-day operations may differ
significantly from a business associate’s written promises. A business associate
addendum should explicitly state all uses and disclosures.
Watch the indemnifications
Indemnifications are promises by one party to hold the other harmless in the event of its
negligence, intentional wrongdoing, or a breach of the agreement. Nothing in the federal
sample or the privacy rule requires indemnification. Still, many covered entities seek
indemnification for violations of the business associate assurances. Some covered entities
seek indemnifications that extend beyond a violation of the privacy rule assurances and
into common law breaches of confidentiality because one problem may trigger exposure
of the other type. However, the liability insurance of the indemnifying party may not
back these indemnifications because such insurance commonly excludes payment for
illegality or contractual liability. An unfounded indemnification is often the ultimate
empty gesture.
Scale safeguards
One of the assurances required from a business associate is an obligation to use
appropriate safeguards to protect the security of PHI. These protections should be
reasonable and scaleable. The provision does not require incorporation of the security
rule (proposed or final) by reference. But it would be wise to draft business associate
agreements that provide you the option to re-visit these assurances when the final security
regulation is published.
Always negotiate
Many covered entities take the position that their form of business associate agreement is
“non-negotiable.” This position is difficult to maintain for at least two reasons. First, if a
non-negotiable form is simply bad business for a vendor, loaded with hidden costs with
no commensurate increase in compensation, you may find yourself looking for
replacement vendors. In short, when it comes to money, everything is negotiable.
Second, if an agreement that does not contain a change-of-law provision is already in
place, the business associate has no obligation to renegotiate. If a covered entity uses a
vendor’s refusal to sign a “non-negotiable” business associate addendum as grounds to
terminate an existing agreement, the vendor could sue for a breach in bad faith.
Don’t forget the agreement. In an understandable effort to minimize the administrative
burden of adapting business associate agreements, many covered entities have resorted to
sending a form, or one of a few forms, in the mail to business associates. This approach
may lessen the compliance load, but it does little to fit the terms of the business associate
assurances into the context of the larger document. You need to know what the existing
business associate agreement says and what the business associate does before amending
the document.
An indemnification clause in the master agreement may require notice before taking
effect while one in the form of business associate assurances does not. Even though a
good form will include coordinating terms on construction (e.g., the form controls the
master in event of a conflict), careful drafting doesn’t substitute for due diligence. At a
minimum, a hands-on approach is needed for more significant business associate
relationships.
Don’t play the effective date game
The August amendment gives covered entities until April 14, 2004, to change existing
agreements to conform to the business associate requirements. Obviously, in the 60-day
period between the publication date of the August amendment and the October 15, 2002,
effective date, covered entities can enter into agreements that will not require business
associate assurances before April 14, 2004. However, unless the entire relationship will
conclude and all obligations be completely performed by April 14, 2004, there is little
real incentive to play the effective date game. Covered entities are much better positioned
to negotiate complete agreements that include the appropriate assurances while their
overall proposal and pricing is on the table. Deferring business associate requirements to
a later date only gives the other party the opportunity to revisit other terms of the
agreement when the covered entity finally needs to revise the agreement. After all,
everything is negotiable.
Editor’s note: Edward F. Shay is a partner in the national health law practice at the
Philadelphia-based law firm of Post & Schell, PC. The firm’s national practice provides
services to a broad spectrum of institutional providers and payers. Shay may be reached
at eshay@postschell.com.