This blog post provides essential insights into reviewing Business Associate Agreements (BAAs), crucial for safeguarding Protected Health Information (PHI) under HIPAA regulations. It offers a comprehensive overview of BAAs, highlighting their main provisions, and outlining effective review and negotiation strategies.
A Business Associate Agreement, as defined in the HIPAA regulations (45 CFR 160.504(e)), is a contract between a HIPAA covered entity and a business associate, or between a business associate and a subcontractor, regarding the use and disclosure of PHI. BAAs are required under HIPAA whenever a business associate creates, receives, maintains or transmits protected health information on behalf of a covered entity. There are limited exceptions, like some conduits of PHI such as internet service providers or mail carriers. These agreements are pivotal for a range of industries and organizations, significantly impacting both covered entities and their business associates.
Specifically, covered entities are defined by HIPAA to include the following:
- Healthcare Providers: Hospitals, clinics, doctors, psychologists, dentists, chiropractors, pharmacies, rehabilitation centers, and nursing homes.
- Health Plans: Health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare, Medicaid, and the military and veterans healthcare programs
- Health Care Clearinghouses: Public or private entities, including billing services, repricing companies, community health management information systems, and “value-added” networks that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or vice versa.
- Hybrid Entities: A single legal entity that performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule. If a covered entity is a hybrid entity, the Privacy Rule generally applies only to its designated health care components.
Meanwhile, business associates and their subcontractors run the gamut as they include any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Examples include:
- Health Tech: Healthcare technology companies offering services such as electronic health records (EHR) systems, telehealth platforms, and data analysis tools.
- Third-party Administrators and Billing Services: Companies that manage healthcare claims, billing, plan design, recordkeeping, and employee benefits.
- Service Firms: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services firms.
Beyond identifying the regulatory roles of the parties, the purpose of a BAA is to do three primary things. First, BAAs ensure that both parties are utilizing the appropriate technical, administrative and physical safeguards in order to ensure that the confidentiality, integrity and availability of the PHI remains intact. The second purpose is to ensure that the breach notification rules are being adhered to by the parties, for example the notification to the other party and then, potentially, to HHS, patients and the media in breaches of PHI involving 500 or more individuals, and making sure that the parties designate the timelines for notification and any further actions. The last main requirement or part of a BAA addresses what to do when the relationship between the parties terminates.
Delving more deeply into the three overarching areas or purposes behind the Business Associate Agreement, we want to first ascertain that both parties have each given reasonable assurances that the technical, administrative and physical safeguards as well as the Privacy Rule, Security Rule and Breach Notification Rule compliance and requirements will be met.
Reasonable assurances that a party meets the technical, administrative and physical safeguards of HIPAA in order to ensure the confidentiality, integrity and availability of the data are those things that give peace of mind as to HIPAA compliance without having to go inspect or audit the other party. I recommend that my clients get a signature on an attestation of about a half page in length that says these reasonable assurances are being provided in order to give peace of mind that the party is adhering to the requirements of HIPAA and the HITECH Act. Specifically, the attestation requires the signing party to answer the following questions truthfully:
1. Does the party undergo an annual risk analysis that is comprehensive?
2. Do they train their workforce annually?
3. Is PHI and sensitive PII encrypted both at rest and in transit?
4. Are Business Associate Agreements in place, and are they recorded?
5. Are policies and procedures at least reviewed annually, and are they comprehensive?
If the party can answer these five questions in earnest, you should walk away with a good feeling that they’re doing everything that needs to be done.
The next main area of a BAA has to do with notification to the other party of a reportable cybersecurity incident, typically known as a breach in accordance with the Breach Notification Rule. A breach is defined in HIPAA section 164.402 as basically “the acquisition, access, use or disclosure of protected health information in a manner that is not permitted, which compromises the security or privacy of the protected health information.” It is important to set forth the timelines for notification to the other party of a breach and any further actions, as well as which party will be responsible for the costs of mitigating the breach.
Along those lines, BAAs should address the potential liability associated with a breach, not all of which necessarily arises under HIPAA. Liability may also arise under state law. For example, Texas has a definition of a covered entity that is broader than the definition under HIPAA. Another way it can arise is through the Federal Trade Commission, which has its own Breach Notification Rule that says if you’re not obligated under HIPAA, you may still have an obligation to report a breach of PHI to consumers pursuant to Title 5 of the Federal Trade Commission Act and courts have held that the Federal Trade Commission does in fact have enforcement authority in that situation. Finally, the parties may face liability for a breach via a class action lawsuit or a common law negligence lawsuit for a breach under HIPAA.
One way in which parties can contractually address this potential liability is through an indemnification clause, which is typically thought of as a contractual obligation of one party (the “indemnitor”) to compensate the loss incurred to the other party due to certain acts of the indemnitor or a third party. The duty to indemnify is usually, but not always, coexisting with the contractual duty to hold harmless. Before you draft an indemnification provision, you want to make sure that you have an appreciation of a variety of different state laws, whether it is derived from common law or set forth in a statute. Most indemnification provisions are written to indemnify, defend, and hold harmless. If you don’t have that exact language, depending on the jurisdiction that you’re in, you may or may not have to defend someone and pay for those costs.
It’s specific to the facts and circumstances, but I would generally not advise anyone to agree to an indemnification provision that is one-sided. For example, some indemnification provisions that I have seen state that in the event of a breach, regardless of whether or not the Business Associate caused the breach, the Business Associate is responsible for all of the costs. So that should be one of the provisions that any person reads very, very carefully because it could contradict with your other existing contracts and/or leave you shouldering all of the liability, even if you’re not responsible for the breach or the bad act. So when I write them, I typically make indemnification provisions mutual so that if one party is being indemnified, the other party is also going to indemnify if they are at fault.
The final main area of a BAA addresses termination of the relationship, including the return or destruction of PHI. For example, it is important to consider carving out the return of PHI that must legally be maintained by the BAA as well as PHI that must be kept in accordance with the records retention and security policies of the BAA. Additionally, the business associate should consider whether and under what circumstances it has the right to terminate the BAA. On occasion, a covered entity will insist upon negotiating using its template which fails to address termination rights for the business associate.
The 21st Century Cures Act and the ability to give patients their medical records in new formats such as smartphone apps present some new considerations for covered entities and business associates. Specifically, the ONC’s Final Rule prohibits something called “Information Blocking” by entities designated as “actors” under the rule, which includes healthcare providers. Basically, information blocking is a practice by an actor that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception. One of the eight exceptions is the security of the EHI, provided certain conditions are met. For example, a provider or a business associate may determine that a smartphone app is not secure, or that for the safety of the entire IT infrastructure they are not going to provide medical records in that format. So it’s important now to reference state laws and other relevant laws such as a 21st Century Cures Act.
Be aware that BAAs are not cookie cutter. While there are certain terms and provisions that you’ll see over and over again because they’re required by the statute or recommended by HHS on its website, no business relationship is exactly the same. As such, it is important to consider those specific facts and circumstances underlying any individual BAA that may require you to customize a template in order to protect your client.
These days there are a number of ways in which lawyers can use AI tools to assist them in reviewing BAAs, maintaining consistency of terms across BAAs, and managing ongoing contractual obligations. More specifically, many such tools can help with:
Risk Identification: Spotting critical risks in BAAs, including aggregation and/or de-identification permissions, limitation of liability, and indemnification language.
Compliance Guidance: Providing insights on the accuracy of defined terms and the required elements of a BAA, ensuring alignment with legal standards.
Efficient Review Process: Accelerating analysis of key provisions such as breach notification and response, cybersecurity requirements, and audit rights.
Subcontractor Management: Assessing whether PHI can be shared with subcontractors, if such sharing is subject to express conditions, and which contractual obligations of the BAA must be included in a business associate’s BAA with such subcontractors
Post-Contractual Obligations: Highlighting post-termination obligations like indemnification responsibilities, which is essential for ongoing compliance and risk management.
One such AI-based tool is LegalOn, software that not only has contract review and revise functions, but also collaboration features, a contract repository, compare functionality, a template library, and an AI assistant that can help you to quickly search, analyze, and assess contracts. Notably, LegalOn is created by lawyers for lawyers.
In conclusion, robust BAAs are indispensable for regulatory compliance and the protection of PHI. When well written, they establish clear roles and responsibilities, mitigate risks, and increase the likelihood of adherence to HIPAA regulations. At minimum, practitioners should focus on whether the BAAs that they negotiate appropriately address the main provisions of a BAA, and in particular those that relate to breach such as liability, indemnification, and post-breach notification, mitigation, and reporting requirements.
Effective review and negotiation of BAAs can be substantially augmented by AI-based contract review and revision tools, which can identify risks, provide actionable insights, and enhance efficiency. In the dynamic landscape of healthcare, where compliance and data security are paramount, the strategic importance of well-drafted and thoughtfully-negotiated BAAs cannot be overstated. They are not only legally mandated where applicable, but foundational elements for maintaining trust and integrity in healthcare operations.
Rachel V. Rose, JD, MBA is an attorney based in Houston, TX. Her practice covers healthcare, cybersecurity, securities, the False Claims Act, and Dodd-Frank regulations. Ms. Rose teaches bioethics as affiliate faculty at Baylor College of Medicine.
See how LegalOn can save you time, reduce legal risk, and free you from tedious work.
Sign up to request free early access to LegalOn
