https://www.channelfutures.com/wp-content/themes/channelfutures_child/assets/images/logo/footer-new-logo.png
  • Home
  • Technologies
    • Back
    • Analytics
    • Artificial Intelligence
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel 101
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Diversity & Inclusion
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
    • Back
    • 2020 MSP 501 Rankings
    • 2020 Hot 101 Rankings
    • 2020 MSP 501 Report
  • Intelligence
    • Back
    • Our Sponsors
    • From the Industry
    • Content Resources
    • COVID-19 Partner Help
    • Galleries
    • Podcasts
    • Reports
    • Videos
    • Webinars
    • White Papers
  • EMEA
  • Awards
    • Back
    • Excellence in Digital Services
    • 2020 MSP 501
    • Top Gun 51
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
    • Channel Evolution Europe
    • Channel Partners Event Coverage
    • Webinars
  • Channel Mentor
    • Back
    • Channel Market Intelligence
    • Channel Educational Series
Channel Futures
  • NEWSLETTER
  • Home
  • Technologies
    • Back
    • Analytics
    • Artificial Intelligence
    • Cloud
    • Data Centers
    • Desktop
    • IoT
    • Mobility
    • Networking
    • Open Source
    • RMM/PSA
    • Security
    • Virtualization
    • Voice/Connectivity
  • Strategy
    • Back
    • Best Practices
    • Business Models
    • Channel 101
    • Channel Programs
    • Channel Research
    • Digital Transformation
    • Diversity & Inclusion
    • Leadership
    • Mergers and Acquisitions
    • Sales & Marketing
    • Specialty Practices
  • MSSP Insider
    • Back
    • Business of Security
    • Cloud and Edge
    • Endpoint
    • Network
    • People and Careers
    • Training and Policies
  • MSP 501
    • Back
    • 2020 MSP 501 Rankings
    • 2020 Hot 101 Rankings
    • 2020 MSP 501 Report
  • Intelligence
    • Back
    • Our Sponsors
    • From the Industry
    • Content Resources
    • COVID-19 Partner Help
    • Galleries
    • Podcasts
    • Reports
    • Videos
    • Webinars
    • White Papers
  • EMEA
  • Awards
    • Back
    • Excellence in Digital Services
    • 2020 MSP 501
    • Top Gun 51
  • Events
    • Back
    • CP Conference & Expo
    • Channel Partners Evolution
    • Channel Evolution Europe
    • Channel Partners Event Coverage
    • Webinars
  • Channel Mentor
    • Back
    • Channel Market Intelligence
    • Channel Educational Series
    • Newsletter
  • REGISTER
  • MSPs
  • VARs / SIs
  • Digital Service Providers
  • Cloud Service Providers
  • CHANNEL PARTNERS ONLINE
 Channel Futures

Sales & Marketing


Business Associate Agreement or Façade?

  • Written by Dan Liutikas 1
  • March 5, 2015
Suddenly, "standard" Business Associate Agreements aren't so standard.

Solution providers working in the healthcare space are fully accustomed to signing Business Associate Agreements (BAA) to perform services for healthcare organizations.

To recap, the BAA is intended to serve as an ancillary agreement to a services agreement for the performance of services that may be covered under applicable law within the healthcare industry, including HIPAA, HITECH Act, the Privacy Rule, the Security Rule and the American Recovery and Reinvestment Act of 2009.  Primarily, the BAA is intended to ensure that the solution provider, who is considered a Business Associate under HIPAA, establishes and implements appropriate safeguards for Protected Health Information (PHI) that the Business Associate may receive, create, maintain or otherwise access or use in connection with performing services for a Business Associate’s customer (known as a Covered Entity under HIPAA). The BAA is also generally intended to ensure that the Business Associate complies with the Security Rule by requiring the implementation of administrative physical and technical safeguards and the mandated policies and procedures. The typical BAA will also contain a rather broad indemnification related to a breach of any of these specific obligations. 

These requirements were all quite concerning when solution providers first encountered them, but over time, they've adapted their knowledge, processes and protocols enough that the risk was contained to acceptable levels. Between a thoughtful services agreement that contained reasonable protections, a limited BAA for which best practices had been established and appropriate insurance, solution providers can effectively mitigate their risk in servicing healthcare customers.

Unfortunately, the story doesn’t end there. More recently, BAAs have been growing in size and scope.  Certainly there have been changes in the law that have necessitated a few revisions to the forms everyone is accustomed to, but the “standard” forms oftentimes are getting much more than a few compliance revisions.

For example, many Covered Entities are attempting to expand the scope of confidentiality under the BAA from PHI to all confidential information; they may be prescribing very specific and onerous methods of doing business that are likely to lead to some breach by the solution provider (thus triggering the remedies in the BAA); and they may be attempting to encompass services in the BAA that do not relate to any areas that the solution provider is itself performing or that the BAA is intended to address specific to healthcare law requirements. 

So what is the big deal with all of this? The issues can be numerous, but let's focus our attention on just a couple. First, the typical services agreement generally has (or should have) a carefully crafted indemnification and appropriate limitation of liability. The typical BAA has a very broad indemnification and no limitation of liability. So when a BAA encompasses areas that do not need to be addressed from a compliance perspective, it effectively transfers more risk to the solution provider than is appropriate and, very likely, in contravention of the solution provider’s negotiated services agreement.

Second, by encompassing every service the solution provider helps integrate but does not itself perform (e.g., cloud solutions), the Covered Entity is effectively either shifting risk away from the company actually providing the services or simply adding an additional party—the solution provider—that must bear the risk.  Since the solution provider has no control over such third-party services, this is unreasonable in many circumstances. 

This trend is concerning, as it tends to allocate more and more risk to the solution provider. It is vital the solution provider take action. First, do not sign a BAA simply because it has the term "Business Associate Agreement" on it. Do not assume it is just a “standard” form. It may be more than that and should be properly reviewed.

Second, as well-versed as you may be in BAA’s and contracting in general, don’t rely on that experience in reviewing the agreement. Have a qualified attorney review the BAA. Oftentimes the changes are subtle, but impactful. Literally one word here or there can change the meaning of provisions dramatically. The BAA may still feel like a “standard” form but be far from it. You are an IT solutions pro; let a pro in law handle this piece. The risk is too great! 

Third, if a BAA goes outside the boundaries of what a BAA should be, don’t be afraid to negotiate. More often than not, a simple conversation with your customer can lead to a win-win resolution.

Looking for more information on Business Associate Agreements? Visit itlalaw.com to learn more.

Dan Liutikas is the Managing Attorney of ITLA | InfoTech Law Advocates, and also serves the greater IT industry as Chief Legal Officer of CompTIA, the premier IT trade association.

Tags: Cloud Service Providers Digital Service Providers MSPs VARs/SIs Sales & Marketing

Related


  • COVID-19 pandemic
    How the Pandemic Will Influence Channel Partner Businesses in 2021
    From reshaping workspaces to doing more with less, four trends will dominate operations and sales.
  • Target group
    Stratus Technologies Targets VARs with New Partner Program
    Stratus offers two edge computing platforms.
  • Woman Thumbs Up
    HPE, Synnex Channel Execs Look Forward to Former Intel CTO Returning as CEO
    One Intel partner calls Gelsinger an industry veteran and visionary.
  • Managed migration
    D&H Extends Financing Terms to Help Partners Amid COVID-19
    Sales through this program increased approximately 85% in the past year to date, year over year.

Leave a comment Cancel reply

-or-

Log in with your Channel Futures account

Alternatively, post a comment by completing the form below:

Your email address will not be published. Required fields are marked *

Related Content

  • Commvault Partners Get New Global Leader with Dell EMC Vet
  • Pax8 Follows Wirehive Acquisition with $96 Million in New Equity Capital
  • Alteryx Chooses Palo Alto Networks Vet to Lead Go-to-Market Plan
  • MSP 501 Profile: Monroy IT Services with a Minority's Perspective on the Channel

Galleries

View all

New, Changing Partner Programs: AWS, Tech Data, Avaya, Verizon

January 11, 2021

Industry Perspectives

View all

The Right Data Migration Tool Helps Schools Move to Cloud During COVID Crisis

January 19, 2021

Cloud-Based CRM: What SMBs Need to Know about Backup and Recovery

January 19, 2021

Cybersecurity: What to Expect in 2021

January 19, 2021

Webinars

View all

Blueprint for a Scalable MSSP Practice in 2021

January 21, 2021

Who’s Behind the Mask? Hacker Personas Explained

January 26, 2021

Your Network Perimeter Has Changed

February 18, 2021

White Papers

View all

Why Subscription Business Model

January 15, 2021

The Ultimate MSP Guide to Sales Efficiency

January 14, 2021

Eight Reasons Why MSPs Need IT Industry-Specific Sales Tools

January 14, 2021

Upcoming Events

View all

Channel Partners Virtual

March 2, 2021 - March 4, 2021

Channel Partners Conference & Expo

November 1, 2021 - November 4, 2021

Videos and Fastchats

View all

FASTCHAT: How SOAR Eliminates Security Challenges and Elevates Service Provider Revenues

January 6, 2021

Happy Holidays from Channel Partners & Channel Futures!

December 21, 2020

FASTCHAT: How Old, Unpatched Technologies Are Creating New Security Threats for MSPs and Their Customers

December 3, 2020

Twitter

ChannelFutures

Our latest #Cybersecurity Roundup features @BitSight and @kovrrIns, @Vectra_AI and @AppOmniSecurity,… twitter.com/i/web/status/1…

January 20, 2021
ChannelFutures

.@solarwinds hackers target @Malwarebytes, impacting internal emails. #cybersecurity dlvr.it/RqzkZp https://t.co/aWqLjCCW9y

January 20, 2021
ChannelFutures

.@citrix $2.25 deal to acquire @wrike expands @CitrixPartners network into collaborative work management.… twitter.com/i/web/status/1…

January 20, 2021
ChannelFutures

.@Carbonite Migrate uses real-time replication to move workloads to #cloud with minimal risk and near-zero downtime… twitter.com/i/web/status/1…

January 20, 2021
ChannelFutures

Backup and recovery is essential for #cloud-based CRMs @ConnectWise #SaaS #dataprotection #cloudbackup #databackup… twitter.com/i/web/status/1…

January 19, 2021
ChannelFutures

You an #MSSP looking to avoid a #SolarWinds-type breach? @Asigra, @Barracuda, @CynetSystems give advice. Don’t blam… twitter.com/i/web/status/1…

January 19, 2021
ChannelFutures

What to expect in 2021 @Webroot #cybersecurity #MSP #remoteworkforce #remoteworking #Carbonite… twitter.com/i/web/status/1…

January 19, 2021
ChannelFutures

From #itautomation to #workfromhome, a look at 2021 trends from @BitTitan. dlvr.it/RqwFZg https://t.co/EkCeJVNAPo

January 19, 2021

MSSP Insider

Newsletters and Updates

Sign up for The Channel Report, Channel Futures Update, MSP 501 Newsletter and more.

Live Channel Events

Get the latest information on the next industry-leading Channel Partners event.

Channel Partners Online

Want more? Find more channel news and analysis on our sister site, Channel Partners.

Media Kit And Advertising

Want to reach our audience? Access our media kit

DISCOVER MORE FROM INFORMA TECH

  • Channel Partners Online
  • Channel Partners Events
  • MSP 501
  • MSSP Insider
  • IoT World Today
  • Webhostingtalk

WORKING WITH US

  • Contact
  • About us
  • Advertise
  • Newsletter

FOLLOW Channel Futures ON SOCIAL

  • Privacy
  • CCPA: “Do Not Sell My Data”
  • Cookie Policy
  • Terms
Copyright © 2021 Informa PLC. Informa PLC is registered in England and Wales with company number 8860726 whose registered and Head office is 5 Howick Place, London, SW1P 1WG.
This website uses cookies, including third party ones, to allow for analysis of how people use our website in order to improve your experience and our services. By continuing to use our website, you agree to the use of such cookies. Click here for more information on our Cookie Policy and Privacy Policy.
X