Earlier this month, I attended the annual meeting of the American Health Lawyers Association in San Diego.  This meeting was excellent from a networking perspective and the substantive information imparted during the various break-out sessions.  A number of these sessions were devoted to or touched upon the Final Rule that was published on January 25, 2013, those terms that must now be included in BAAs under such Final Rule, and the effect of such Final Rule upon a business associate (“BA”) – someone the Final Rule defines as a person acting on behalf of a covered entity (“CE”) who (i) creates, receives, maintains or transmits protected health information (“PHI”); (ii) for a function or activity regulated by HIPAA; and (iii) provides certain identified services to such CE.

The provisions of the Final Rule are especially important to a BA, considering (a) a BA is now independently liable for violations of HIPAA’s privacy and security requirements, and (b) BAs shall be subject to future audits by the Office of Civil Rights to insure compliance with HIPAA, including those amended privacy, security, enforcement and breach notification provisions that are part of the Final Rule. Essentially, under the Final Rule, BAs must comply with HIPAA’s privacy and security rules in the same manner as a CE, including with respect to breach notification requirements that may represent the greatest risk when negotiating a BAA.

Therefore, when negotiating a BAA that is to comply with the Final Rule, whether on behalf of a BA or CE, the following are some of the salient issues – each of which has significant legal implications – that should be considered and addressed: 

  • The timeframe within which the BA must notify the CE of a breach;
  • Indemnification for breach expenses;
  • Cooperation in breach risk assessment;
  • Cooperation in HIPAA investigations;
  • Reporting of unsuccessful Security Incidents;
  • The extent to which the CE may direct the patient rights duties of the BA;
  • The right of the BA to operate outside the U.S., including storing data offshore;
  • Audit rights;
  • BA’s right to de-identify PHI;
  • BA’s right to use PHI for management and administration and data aggregation purposes;
  • Defining when return or destruction of PHI upon termination of BAA is infeasible; and
  • The extent to which the provisions in the BAA between the BA and its  subcontractor shall be identical to the BAA between such BA and the CE.