https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2023 MSP 501 Application
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • SDN/SD-WAN
    • Cloud
    • RMM/PSA
    • Security
    • Telephony/UC/Collaboration
    • Cable
    • Mobility & Wireless
    • Fiber/Ethernet
    • Data Centers
    • Backup & Disaster Recovery
    • IoT
    • Desktop
    • Artificial Intelligence
    • Analytics
  • Strategy
    • Back
    • Mergers and Acquisitions
    • Channel Research
    • Business Models
    • Distribution
    • Technology Solutions Brokerages
    • Sales & Marketing
    • Best Practices
    • Vertical Markets
    • Regulation & Compliance
  • MSP 501
    • Back
    • 2023 MSP 501 Application
    • 2022 MSP 501 Rankings
    • 2022 NextGen 101 Rankings
  • Intelligence
    • Back
    • Galleries
    • Podcasts
    • From the Industry
    • Reports/Digital Issues
    • Webinars
    • White Papers
  • Channel Futures TV
  • EMEA
  • Channel Chatter
    • Back
    • People on the Move
    • New/Changing Channel Programs
    • New Products & Services
    • Industry Honors
  • Resources
    • Back
    • Advisory Boards
    • Industry Organizations
    • Our Sponsors
    • Advertise
    • 2023 Editorial Calendar
  • Awards
    • Back
    • 2022 MSP 501
    • Channel Influencers
    • Circle of Excellence
    • DE&I 101
    • Technology Advisor 101 (TA 101)
    • Channel Leaders Lists
  • Events
    • Back
    • 2023 Call for Speakers
    • CP Conference & Expo
    • MSP Summit
    • Channel Partners Europe
    • Channel Partners Event Coverage
    • Webinars
    • Industry Events
  • About Us
  • DE&I
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Agents
  • Cloud Service Providers
  • Channel Partners Events
 Channel Futures

Sales & Marketing


Business Associate Agreement or Façade?

  • Written by Dan Liutikas 1
  • March 5, 2015
Suddenly, "standard" Business Associate Agreements aren't so standard.

Solution providers working in the healthcare space are fully accustomed to signing Business Associate Agreements (BAA) to perform services for healthcare organizations.

To recap, the BAA is intended to serve as an ancillary agreement to a services agreement for the performance of services that may be covered under applicable law within the healthcare industry, including HIPAA, HITECH Act, the Privacy Rule, the Security Rule and the American Recovery and Reinvestment Act of 2009.  Primarily, the BAA is intended to ensure that the solution provider, who is considered a Business Associate under HIPAA, establishes and implements appropriate safeguards for Protected Health Information (PHI) that the Business Associate may receive, create, maintain or otherwise access or use in connection with performing services for a Business Associate’s customer (known as a Covered Entity under HIPAA). The BAA is also generally intended to ensure that the Business Associate complies with the Security Rule by requiring the implementation of administrative physical and technical safeguards and the mandated policies and procedures. The typical BAA will also contain a rather broad indemnification related to a breach of any of these specific obligations. 

These requirements were all quite concerning when solution providers first encountered them, but over time, they've adapted their knowledge, processes and protocols enough that the risk was contained to acceptable levels. Between a thoughtful services agreement that contained reasonable protections, a limited BAA for which best practices had been established and appropriate insurance, solution providers can effectively mitigate their risk in servicing healthcare customers.

Unfortunately, the story doesn’t end there. More recently, BAAs have been growing in size and scope.  Certainly there have been changes in the law that have necessitated a few revisions to the forms everyone is accustomed to, but the “standard” forms oftentimes are getting much more than a few compliance revisions.

For example, many Covered Entities are attempting to expand the scope of confidentiality under the BAA from PHI to all confidential information; they may be prescribing very specific and onerous methods of doing business that are likely to lead to some breach by the solution provider (thus triggering the remedies in the BAA); and they may be attempting to encompass services in the BAA that do not relate to any areas that the solution provider is itself performing or that the BAA is intended to address specific to healthcare law requirements. 

So what is the big deal with all of this? The issues can be numerous, but let's focus our attention on just a couple. First, the typical services agreement generally has (or should have) a carefully crafted indemnification and appropriate limitation of liability. The typical BAA has a very broad indemnification and no limitation of liability. So when a BAA encompasses areas that do not need to be addressed from a compliance perspective, it effectively transfers more risk to the solution provider than is appropriate and, very likely, in contravention of the solution provider’s negotiated services agreement.

Second, by encompassing every service the solution provider helps integrate but does not itself perform (e.g., cloud solutions), the Covered Entity is effectively either shifting risk away from the company actually providing the services or simply adding an additional party—the solution provider—that must bear the risk.  Since the solution provider has no control over such third-party services, this is unreasonable in many circumstances. 

This trend is concerning, as it tends to allocate more and more risk to the solution provider. It is vital the solution provider take action. First, do not sign a BAA simply because it has the term "Business Associate Agreement" on it. Do not assume it is just a “standard” form. It may be more than that and should be properly reviewed.

Second, as well-versed as you may be in BAA’s and contracting in general, don’t rely on that experience in reviewing the agreement. Have a qualified attorney review the BAA. Oftentimes the changes are subtle, but impactful. Literally one word here or there can change the meaning of provisions dramatically. The BAA may still feel like a “standard” form but be far from it. You are an IT solutions pro; let a pro in law handle this piece. The risk is too great! 

Third, if a BAA goes outside the boundaries of what a BAA should be, don’t be afraid to negotiate. More often than not, a simple conversation with your customer can lead to a win-win resolution.

Looking for more information on Business Associate Agreements? Visit itlalaw.com to learn more.

Dan Liutikas is the Managing Attorney of ITLA | InfoTech Law Advocates, and also serves the greater IT industry as Chief Legal Officer of CompTIA, the premier IT trade association.

Tags: Agents Cloud Service Providers MSPs VARs/SIs Sales & Marketing

Most Recent


  • Time for Change
    HP's Head of Global Channel Strategy Talks Program Changes, Poly Opportunity
    HP’s channel strategy leader reveals how HP is tweaking its two-year old partner program, and what to expect for the rest of 2023.
  • Jump a gap, ravine
    Is the Gap Widening Between Superagents and Mom-and-Pop Shops?
    Partners shared why they haven't sold their business and what they need to do to stay relevant with end customers.
  • online survey
    Kaseya MSP Survey: Growing Importance of Automation, Cybersecurity Remains Top Challenge
    MSPs will need to be up to speed on their security offerings to meet SMB demand.
  • Cloud Roundup
    Google Cloud Lashes Out at Microsoft, New Hurdle for Broadcom-VMware
    This cloud computing wrap-up showcases some big news and happenings at more under-the-radar cloud firms.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Europe skyline
    The Master Agent Model Is Taking Off in Europe
  • Kohler Power Unleashes New Global Power Partner Program
  • Deep Learning, AI
    From T1s to 'Human Experience': TBI's Bryan Reynolds Is Witnessing a Channel Revolution
  • Telcos are undergoing a steady transformation as brands attempt to escape their commodity roles as voice and data providers and become consumerfacing content and entertainment brands This year saw major brands taking major steps to advance this goal and to position themselves for leadership in the Internet of Things Verizon acquired Yahoo having purchased AOL two years ago and ATampT agreed to buy media giant Time Warner following its earlier acquisition of DirecTV And just as every company is a
    New Channel Chiefs at Forcepoint, Otava, PagerDuty Target Bigger Partner Share

Upcoming Events

View all

Channel Partners Conference & Expo

May 1, 2023 - May 4, 2023

Channel Partners Europe

June 13, 2023 - June 14, 2023

Channel Futures Leadership Summit

October 30, 2023 - November 2, 2023

Galleries

View all

HP’s Head of Global Channel Strategy Talks Program Changes, Poly Opportunity

March 31, 2023

National Women’s History Month: Channel Women’s Advice for Newbies

March 31, 2023

Is the Gap Widening Between Superagents and Mom-and-Pop Shops?

March 31, 2023

Industry Perspectives

View all

Co-innovation Is Needed to Effect Energy Transformation

March 31, 2023

AI Spells the End of End User Security

March 30, 2023

Why You Should Include Audiovisual Solutions in Your UC Services

March 28, 2023

Webinars

View all

Give Customers the Power: How MSPs Can Leverage Cloud Choice

April 4, 2023

DE&I Dialogue: How the Right DE&I Initiatives Can Propel Your Business

April 5, 2023

Meet the 2023 Channel Futures Channel Influencers

April 13, 2023

White Papers

View all

6 UCaaS Reseller Challenges and How Real World Businesses Solved Them

February 1, 2023

Frost Radar: North American UCaaS Market, 2022

February 1, 2023

The Complete Guide to White-Label UCaaS for Reseller Success

February 1, 2023

Channel Futures TV

View all

Kaseya, Post-Acquisition, Expanding ‘Well-Regarded’ Datto Partner Program

Aryaka ‘Driving Value to the Channel Community’ with Throttle

March 24, 2023

Coffee with Craig and James Episode 121: Hewlett Packard Enterprise

March 23, 2023

Real-Life M&A: Advice for a Successful Channel Deal

March 13, 2023

Twitter

ChannelFutures

Learn about @comcastbusiness and some of the trends partners are seeing with #SMB customers. @craigschlagbaum… twitter.com/i/web/status/1…

March 31, 2023
ChannelFutures

🤔 Interested in expanding on your brand or building a business from square one? @SkySwitchSays explains everythin… twitter.com/i/web/status/1…

March 31, 2023
ChannelFutures

Energy transformation and climate change calls for innovation now @VMware #channelpartners #energycrisis #technews… twitter.com/i/web/status/1…

March 31, 2023
ChannelFutures

Predictions are important when shaping your 2023 expectations & goals. #ChannelFutures is here to help out. We aske… twitter.com/i/web/status/1…

March 31, 2023
ChannelFutures

Mary Beth Walker on @HP adapting its partner program in response to partner feedback, and what latest launches mean… twitter.com/i/web/status/1…

March 31, 2023
ChannelFutures

.@ConnectWise report shows cybercriminals will continue heavily targeting #MSPs in 2023. dlvr.it/Slnlrj https://t.co/eEY0pMLJaQ

March 31, 2023
ChannelFutures

CP Expo preview: The "State of the Agent Market" panel will feature four rockstar partner speakers. Read a preview… twitter.com/i/web/status/1…

March 31, 2023
ChannelFutures

.@Dell launches #DellLatitude and OptiPlex PCs, and Precision #workstations, adds Apex Managed Device Service.… twitter.com/i/web/status/1…

March 30, 2023

MSP 501

The industry's largest and most comprehensive partner awards program.

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Galleries

Educational slide shows and images from live events.

Media Kit And Advertising

Want to reach our audience? Access our media kit.

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Events
  • Telecoms.com
  • MSP 501
  • Black Hat
  • IoT World Today
  • Omdia

WORKING WITH US

  • Contact
  • About Us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2023 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X