Indemnification: Is It Needed In A Business Associate Agreement?
By Matthew Fisher
Twitter: @matt_r_fisher
The requirement for Covered Entities under the Health Insurance Portability and Accountability Act (“HIPAA”) to enter into a Business Associate Agreement (“BAA”) with Business Associates has received a significant amount of attention following the release of the HIPAA Omnibus Rule on January 23, 2013 (the “Omnibus Rule”). The Omnibus Rule clarified and modified the specific regulatory requirements for the contents of a BAA. Those requirements include requiring Business Associates to comply with certain obligations under the HIPAA Privacy Rule and Security Rule. The regulations do not require an indemnification clause. The question, then, becomes whether a Covered Entity should include an indemnification clause in a BAA.
To answer the indemnification question, it is first helpful to explore what a BAA, at a baseline, covers. A BAA is meant to cover the relationship and sharing of protected health information (“PHI”) between a Covered Entity and a Business Associate. Under the HIPAA regulations, a Business Associate is any person or entity that receives, handles, creates or otherwise interacts with PHI for or on behalf of a Covered Entity in assisting the Covered Entity in the performance of its activities. Once the relationship between the parties falls within the HIPAA definition, a Business Associate relationship is created. It is for that reason that execution of a BAA is not necessary. While a Covered Entity has the responsibility of trying to have each Business Associate enter into a BAA, the Covered Entity’s obligations end at making reasonable efforts to obtain an executed BAA.
As a Business Associate under HIPAA, a Business Associate is required to comply with the Security Rule and applicable portions of the Privacy Rule. The Business Associate’s direct obligation is established by the HIPAA regulations and applies regardless of whether a BAA is in place. While a Covered Entity has the responsibility of trying to have each Business Associate enter into a BAA, the Covered Entity’s obligations end at making reasonable efforts to obtain an executed BAA.
One of the biggest changes from the Omnibus Rule was to make Business Associates directly liable for violations and breaches of HIPAA. This means that in an enforcement action, the government can look to not only the Covered Entity, but to the Business Associate for penalties.
In light of a Business Associate’s now direct liability under HIPAA, the question goes back to whether an indemnification clause is necessary in a BAA. The purpose of an indemnification clause is to commit one party (the indemnifying party) to either reimburse or cover the obligations of the other party in the event that the indemnifying party’s actions give rise to the damages. In the HIPAA context, therefore, it is easily discoverable why a Covered Entity would want to obligate its Business Associates to provide indemnification. A pre-Omnibus Rule example can provide a highlight. South Shore Hospital in Massachusetts, a Covered Entity, was fined for a breach of HIPAA and Massachusetts consumer protection laws when it shipped three boxes of unencrypted electronic information off-site to be erased, but only one box made it to the end destination to be erased. While the hospital failed to satisfy all of its obligations, it did not ensure its Business Associate was HIPAA compliant. From the Covered Entity’s perspective, it asks why it should bear the financial responsibility for the actions of its Business Associate.
From the Business Associate’s perspective though, if it causes a breach then under the newly amended regulations it can be directly fined by the government. In that context, the Business Associate could rightly question why it needs to separately commit to the Covered Entity to pay, when arguably the Business Associate that actually caused the breach can now be directly fined or penalized by the government. The conclusion of this argument is that indemnification would be unnecessary or duplicative because the Covered Entity would not be receiving the fine.
A fine from the government is not the only consideration for inclusion of an indemnification clause though. Indemnification could also be used to defray the costs of responding to and notifying affected individuals about a breach. In the event of a breach, it can be expected that the Covered Entity will want to maintain control over the notification process because it is the Covered Entity’s patients or affected individuals who are being notified. An indemnification clause or specific language in a BAA to cover this situation could be used by the Covered Entity to either assume control over or direct how notification will occur while pushing those costs onto the Business Associate.
Regardless of which perspective is taken, the following practical considerations should be considered:
- Will the Business Associate actually be able to satisfy any indemnification obligation? Even if an agreement contains an indemnification requirement, the Business Associate must still have the financial ability to satisfy that obligation. This is an element that should not be overlooked when considering whether to include an indemnification clause.
- The inclusion or exclusion of an indemnification clause in a BAA will be the result of negotiations between the Covered Entity and the Business Associate. The relative bargaining power of each party will likely play a predominant role in such negotiations.
Remember, indemnification is not required by HIPAA, and do not look past the practical ability to actually enforce the clause in the event of a triggering event.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Mat advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute.