The Business Associate Agreement Battle – Understand the Key Issues

The September 2014 deadline for amending pre-existing HIPAA business associate agreements (BAA) is fast approaching.  Are you ready?  Under the HITECH Act, covered entities and business associates have just under seven months to negotiate and implement amendments to all BAAs entered into prior to January 25, 2013.

In the face of the unprecedented challenge of revising all pre-existing BAAs, covered entities and business associates need to act quickly, but also be mindful of the important terms in BAAs that can lead to increased liability, including the following:

  • Indemnification: Although not required by the HITECH Act, covered entities often push for strong indemnification language that requires the business associate to indemnify the covered entity for a business associate’s breach of protected health information (PHI) and violations of HIPAA.  Acceptable indemnification language for each party depends on the nature of the PHI involved in the transaction and the amount of PHI that is transmitted between the parties. 
  • Limitation of Liability: In order to reduce the risks of receiving and maintaining the covered entity’s PHI, many business associates push for BAA language that limits their liability to a certain amount (i.e. fees paid by covered entity in the underlying agreement).  A covered entity’s acceptance to a business associate’s “limitation of liability” terms can pose significant risks if the business associate violates HIPAA after the BAA is signed. 
  • Breach Notification Time Period: The HITECH Act requires business associates to notify covered entities of a breach of PHI within 60 days of discovery.  However, in order to protect relationships with patients affected by a breach, proposed BAAs from covered entities generally require a business associate to provide notification within 10 days or less.  A business associate’s acceptance to a shorter notification period can put tremendous pressure on it to investigate and disclose accurate information after a breach occurs.

These are just a few terms found in BAAs that can lead to increased liability and risks for covered entities and business associates.  Although it is critical to complete BAA amendments by the September 23, 2014 deadline, business associates and covered entities need to think critically about the language in BAAs prior to signature.

If you would like more information about negotiating business associate agreements, please contact Dave Schoolcraft, Elana Zana or Casey Moriarty.