Now that the Final Omnibus Rule under HIPAA, originally published on January 25, 2013, is in full force, covered entities (CEs) and their continuing business associates (BAs) should be examining their existing pre-Final Omnibus Rule HIPAA Business Associate Agreements (BAAs). While the "Effective Date" of the Final Omnibus Rule was March 26, 2013, most provisions did not go into effect until September 23, 2013. BAAs that were "already in effect" as of January 25, 2013, and were not otherwise renewed or modified from and after the March 26, 2013, Effective Date should be reviewed and modified no later than September 23, 2014, if necessary, to comply with the Final Omnibus Rule.

By this time, CEs and BAs should have become more sophisticated and cautious regarding the negotiation of, and entry into, a BAA. In this regard, a party to a BAA (or a Subcontractor Agreement (SCA), for that matter), whether a covered entity, business associate or  subcontractor (SC), may confront the question as to whether to agree to, demand, request, submit to, negotiate or permit an indemnification provision respecting the counterparty under a BAA or SCA. On January 25, 2013, the U.S. Department of Health and Human Services published "Sample Business Associate Agreement Provisions," which were silent on the matter of indemnification. Nonetheless, whether or not to include a provision is often a major question for parties to BAAs and SCAs.

There are a number of common themes that, at a minimum, may determine in a specific case for a party whether the BAA or SCA should include such a provision. Because a breach of HIPAA, especially in the areas of privacy and security, can result in enormous financial liability, humiliating publicity and large monetary penalties, appropriate care should be given regarding such provisions. In addition to the 10 items listed below, the relative bargaining power of the parties may be a significant factor in this matter. 

  1. A CE or BA may assert that it has a "standard form" of BAA that includes a provision running solely for such party's benefit. The counterparty may legitimately push back and demand that such provision be removed, or at least that the BAA be revised to include a reciprocal provision for its benefit. (A party may also ask its counterparty whether the counterparty has ever previously executed a BAA or SCA that does not contain such a provision.)
  2. Before a party agrees to any provision whereby it is indemnifying the counterparty, it should find out from its own insurance carrier whether such a provision is permitted under such party's liability insurance policy or if agreeing to such a provision will have any adverse impact on its insurance coverage. CEs and BAs may now have insurance that specifically covers security and privacy data breaches, including HIPAA breaches (collectively, data breaches), and that coverage in particular requires scrutiny regarding the impact of any provisions.
  3. If a provision is to be included (and perhaps as a general rule even if there is no provision), there should be a negation of potential third party beneficiary rights under the BAA or SCA. For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a party does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a provision.
  4. A party should endeavor to limit its own maximum dollar amount exposure for indemnification. For this reason alone, a provision should be viewed as not "standard."
  5. A party should endeavor to limit the time period for indemnification under the provision. In this regard, HIPAA and state laws have specific time frames for notification of data breaches that should be considered with respect to the provision.
  6. If the BAA or SCA includes a provision, a party may desire to limit its monetary liability for any and all breaches under the BAA or SCA solely to the indemnification obligations under the provision.
  7. A party should consider expressly limiting its own monetary liability under the provision to events directly and proximately caused by a material breach of the BAA and only to the extent that the material breach of such party caused damages to the counterparty.  ("Standard" language often is written as "events arising out of or relating to a breach," a much broader and less objective criterion.)
  8. Where a BA or SC is a lawyer or law firm that is counsel (or another licensed person who has professional and ethical obligations separate from HIPAA, such as a physician) to a counterparty, consider whether there are professional responsibilities of attorneys (or such other licensed person) respecting the negotiation of the provision, including notifying the counterparty that it should consider retaining separate counsel to advise it on the provision (and other terms of the BAA such as item 10 below).
  9. If a regulatory authority or court exacts a monetary penalty from a party in connection with a data breach or such party is found to have been involved in a HIPAA breach, the right to indemnification of such party by the counterparty under a provision may be limited or not enforceable at all as a matter of public policy.
  10. If a provision is to be included, attention should be given to its impact on corollary matters, such as limitation on recovery of consequential, special, punitive and other damages and attorneys' fees and legal expenses.

In light of the above and other potential considerations, careful thought should be given as to whether or not a provision is appropriate in a specific case and merits what could become a serious and potentially irresolvable stumbling block to the underlying business relationship. In extreme cases, the matter of indemnification and its complexities and consequences could even result in termination of the business relationship between the parties.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.