Earlier this month, I attended the annual meeting of the American Health Lawyers Association in San Diego. This meeting was excellent from a networking perspective and the substantive information imparted during the various break-out sessions. A number of these sessions were devoted to or touched upon the Final Rule that was published on January 25, 2013, those terms that must now be included in BAAs under such Final Rule, and the effect of such Final Rule upon a business associate ("BA") – someone the Final Rule defines as a person acting on behalf of a covered entity ("CE") who (i) creates, receives, maintains or transmits protected health information ("PHI"); (ii) for a function or activity regulated by HIPAA; and (iii) provides certain identified services to such CE.
The provisions of the Final Rule are especially important to a BA, considering (a) a BA is now independently liable for violations of HIPAA's privacy and security requirements, and (b) BAs shall be subject to future audits by the Office of Civil Rights to insure compliance with HIPAA, including those amended privacy, security, enforcement and breach notification provisions that are part of the Final Rule. Essentially, under the Final Rule, BAs must comply with HIPAA's privacy and security rules in the same manner as a CE, including with respect to breach notification requirements that may represent the greatest risk when negotiating a BAA.
Therefore, when negotiating a BAA that is to comply with the Final Rule, whether on behalf of a BA or CE, the following are some of the salient issues – each of which has significant legal implications – that should be considered and addressed:
- Thetimeframe within which the BA must notify the CE of a breach;
- Indemnification for breach expenses;
- Cooperation in breach risk assessment;
- Cooperation in HIPAA investigations;
- Reporting of unsuccessful Security Incidents;
- The extent to which the CE may direct the patient rights duties of the BA;
- The right of the BA to operate outside the U.S., including storing data offshore;
- Audit rights;
- right to de-identify PHI;
- BA's right to use PHI for management and administration and data aggregation purposes;
- Defining when return or destruction of PHI upon termination of BAA is infeasible; and
- The extent to which the provisions in the BAA between the BA and its subcontractor shall be identical to the BAA between such BA and the CE.
This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.
Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.
