Business Associate Agreement or Façade?

Solution providers working in the healthcare space are fully accustomed to signing Business Associate Agreements (BAA) to perform services for healthcare organizations.

To recap, the BAA is intended to serve as an ancillary agreement to a services agreement for the performance of services that may be covered under applicable law within the healthcare industry, including HIPAA, HITECH Act, the Privacy Rule, the Security Rule and the American Recovery and Reinvestment Act of 2009.  Primarily, the BAA is intended to ensure that the solution provider, who is considered a Business Associate under HIPAA, establishes and implements appropriate safeguards for Protected Health Information (PHI) that the Business Associate may receive, create, maintain or otherwise access or use in connection with performing services for a Business Associate’s customer (known as a Covered Entity under HIPAA). The BAA is also generally intended to ensure that the Business Associate complies with the Security Rule by requiring the implementation of administrative physical and technical safeguards and the mandated policies and procedures. The typical BAA will also contain a rather broad indemnification related to a breach of any of these specific obligations. 

These requirements were all quite concerning when solution providers first encountered them, but over time, they've adapted their knowledge, processes and protocols enough that the risk was contained to acceptable levels. Between a thoughtful services agreement that contained reasonable protections, a limited BAA for which best practices had been established and appropriate insurance, solution providers can effectively mitigate their risk in servicing healthcare customers.

Unfortunately, the story doesn’t end there. More recently, BAAs have been growing in size and scope.  Certainly there have been changes in the law that have necessitated a few revisions to the forms everyone is accustomed to, but the “standard” forms oftentimes are getting much more than a few compliance revisions.

For example, many Covered Entities are attempting to expand the scope of confidentiality under the BAA from PHI to all confidential information; they may be prescribing very specific and onerous methods of doing business that are likely to lead to some breach by the solution provider (thus triggering the remedies in the BAA); and they may be attempting to encompass services in the BAA that do not relate to any areas that the solution provider is itself performing or that the BAA is intended to address specific to healthcare law requirements. 

So what is the big deal with all of this? The issues can be numerous, but let's focus our attention on just a couple. First, the typical services agreement generally has (or should have) a carefully crafted indemnification and appropriate limitation of liability. The typical BAA has a very broad indemnification and no limitation of liability. So when a BAA encompasses areas that do not need to be addressed from a compliance perspective, it effectively transfers more risk to the solution provider than is appropriate and, very likely, in contravention of the solution provider’s negotiated services agreement.

Second, by encompassing every service the solution provider helps integrate but does not itself perform (e.g., cloud solutions), the Covered Entity is effectively either shifting risk away from the company actually providing the services or simply adding an additional party—the solution provider—that must bear the risk.  Since the solution provider has no control over such third-party services, this is unreasonable in many circumstances. 

This trend is concerning, as it tends to allocate more and more risk to the solution provider. It is vital the solution provider take action. First, do not sign a BAA simply because it has the term "Business Associate Agreement" on it. Do not assume it is just a “standard” form. It may be more than that and should be properly reviewed.

Second, as well-versed as you may be in BAA’s and contracting in general, don’t rely on that experience in reviewing the agreement. Have a qualified attorney review the BAA. Oftentimes the changes are subtle, but impactful. Literally one word here or there can change the meaning of provisions dramatically. The BAA may still feel like a “standard” form but be far from it. You are an IT solutions pro; let a pro in law handle this piece. The risk is too great! 

Third, if a BAA goes outside the boundaries of what a BAA should be, don’t be afraid to negotiate. More often than not, a simple conversation with your customer can lead to a win-win resolution.

Looking for more information on Business Associate Agreements? Visit itlalaw.com to learn more.

Dan Liutikas is the Managing Attorney of ITLA | InfoTech Law Advocates, and also serves the greater IT industry as Chief Legal Officer of CompTIA, the premier IT trade association.