Avoid These Pitfalls and Use Common Sense When Handling Business Associate Agreements

Avoid these pitfalls and use common sense when handling business associate agreements

By Edward F. Shay

Most covered entities are coming to terms with their obligation to modify agreements with business associates to obtain necessary assurances that the business associates will abide by the HIPAA privacy rule. When HHS published the proposed revisions to the final privacy rule in March 2002, it included in the preamble a model business associate agreement. The model had advantages and disadvantages. The primary advantage was that it creates a reasonably balanced form against which providers could measure their forms.

However, there are portions of the federal model that went beyond the scope of the privacy rule and created obligations that did not exist as a matter of law. For example, nothing in the privacy rule requires that a business associate make its books and records available to the covered entity as well as HHS. However, the model included language to that effect. As the American Hospital Association pointed out in its comment on the model agreement, subtle ties between a covered entity and a business associate like these could strengthen an allegation that the provider is legally liable for the otherwise independent acts of its business associates.

In the August 14, 2002 final amendment to the privacy rule, HHS retained the model, but renamed it the “sample,” and removed some of the phrases that exceeded the scope of the privacy rule.

In addition, the August amendment provided a one-time transition extension in the compliance date for agreements with business associates that existed before October 15, 2002, the effective date of the August amendment. These existing agreements must conform to the requirements of the amended privacy rule by April 14, 2004, rather than April 14, 2003—the overall compliance date.

The amendment gives covered entities valuable guidance for agreement language. Notwithstanding this clearer climate, covered entities will benefit from a few more practical lessons about dealing with business associates.

Use the extension effectively

Early in the compliance process, many covered entities assumed that they could get associates to sign a short form of addendum and rely upon that to check off “business associate agreements” on their compliance “to-do” list. Since then, covered entities have spent a lot of time and energy identifying business associates and revising written agreements with them. The task of renegotiating agreements has proven challenging. In many instances, vendors and covered entities have found themselves locked in the proverbial battle of the forms. With the extension afforded by the August amendment, now is a good time for covered entities to reassess how they approach the process of revising their business associate relationships.

Keep proportion in mind

The hard reality of business associate agreements is that one size does not fit all. A software vendor whose “use” of PHI is incidental to modem access for service support of a provider’s clinical information system does not need to give ironclad assurance that it will provide information for future accountings. There should be no designated record sets in the vendor’s possession and no need for this assurance. Rather than arm-wrestle every vendor, think about making your business associate agreements flexible and in

proportion to the uses and disclosures involved. Try starting with a form—perhaps the federal sample form—and develop a series of two or three forms for different classes of relationships. This way, a modest software service agreement would require far fewer assurances than a full-blown data outsourcing alliance.

Clearly state uses and disclosures

Getting the right protection requires an agreement that clearly states the specific agreed-upon uses and disclosures of PHI. Too often, agreements speak in terms of general obligations and undertakings. When changing a business associate agreement to comply with HIPAA, it is extremely important to question workforce members with direct involvement in the covered activity. The reality of day-to-day operations may differ significantly from a business associate’s written promises. A business associate addendum should explicitly state all uses and disclosures.

Watch the indemnifications

Indemnifications are promises by one party to hold the other harmless in the event of its negligence, intentional wrongdoing, or a breach of the agreement. Nothing in the federal sample or the privacy rule requires indemnification. Still, many covered entities seek indemnification for violations of the business associate assurances. Some covered entities seek indemnifications that extend beyond a violation of the privacy rule assurances and into common law breaches of confidentiality because one problem may trigger exposure of the other type. However, the liability insurance of the indemnifying party may not back these indemnifications because such insurance commonly excludes payment for illegality or contractual liability. An unfounded indemnification is often the ultimate empty gesture.

Scale safeguards

One of the assurances required from a business associate is an obligation to use appropriate safeguards to protect the security of PHI. These protections should be reasonable and scaleable. The provision does not require incorporation of the security rule (proposed or final) by reference. But it would be wise to draft business associate agreements that provide you the option to re-visit these assurances when the final security regulation is published.

Always negotiate

Many covered entities take the position that their form of business associate agreement is “non-negotiable.” This position is difficult to maintain for at least two reasons. First, if a non-negotiable form is simply bad business for a vendor, loaded with hidden costs with no commensurate increase in compensation, you may find yourself looking for replacement vendors. In short, when it comes to money, everything is negotiable.

Second, if an agreement that does not contain a change-of-law provision is already in place, the business associate has no obligation to renegotiate. If a covered entity uses a vendor’s refusal to sign a “non-negotiable” business associate addendum as grounds to terminate an existing agreement, the vendor could sue for a breach in bad faith.

Don’t forget the agreement. In an understandable effort to minimize the administrative burden of adapting business associate agreements, many covered entities have resorted to sending a form, or one of a few forms, in the mail to business associates. This approach may lessen the compliance load, but it does little to fit the terms of the business associate assurances into the context of the larger document. You need to know what the existing business associate agreement says and what the business associate does before amending the document.

An indemnification clause in the master agreement may require notice before taking effect while one in the form of business associate assurances does not. Even though a good form will include coordinating terms on construction (e.g., the form controls the master in event of a conflict), careful drafting doesn’t substitute for due diligence. At a minimum, a hands-on approach is needed for more significant business associate relationships.

Don’t play the effective date game

The August amendment gives covered entities until April 14, 2004, to change existing agreements to conform to the business associate requirements. Obviously, in the 60-day period between the publication date of the August amendment and the October 15, 2002, effective date, covered entities can enter into agreements that will not require business associate assurances before April 14, 2004. However, unless the entire relationship will conclude and all obligations be completely performed by April 14, 2004, there is little real incentive to play the effective date game. Covered entities are much better positioned to negotiate complete agreements that include the appropriate assurances while their overall proposal and pricing is on the table. Deferring business associate requirements to a later date only gives the other party the opportunity to revisit other terms of the agreement when the covered entity finally needs to revise the agreement. After all, everything is negotiable.

Editor’s note: Edward F. Shay is a partner in the national health law practice at the Philadelphia-based law firm of Post & Schell, PC. The firm’s national practice provides services to a broad spectrum of institutional providers and payers. Shay may be reached at .