Around this time each year, I like to remind healthcare providers about certain matters they can address at the beginning of each year--a New Year's Resolution perhaps. You know--those matters that you have every intention of addressing throughout the year, but which get pushed to the side as other "more pressing" matters develop. This year, I am focusing on Business Associate Agreements (BAAs).
While BAAs are a necessary tool for ensuring HIPAA compliance, healthcare providers oftentimes overlook this area of compliance. However, given the recent focus on business associate relationships and compliance by the Office of Civil Rights, the government agency overseeing HIPAA compliance, moving forward, healthcare providers should not only ensure that a BAA is in place when one is necessary, but also that the BAA reflects the intentions of the parties.
Below are my top five provisions that should be reviewed in any BAA and should be negotiated as necessary.
1. Indemnity Provision. The indemnity provision concerns whether or not the business associate will be responsible for any costs you incur as a result of the business associate's actions. Healthcare providers should always insist on an indemnity from its business associates. If the business associate violates the terms of the BAA and/or HIPAA and such violation results in a fine, penalty, investigation, etc. against the healthcare provider, the indemnity provision allows the healthcare provider to pursue the business associate and recoup such costs. It holds the party responsible for the incident also responsible for the associated costs, regardless of which party actually incurs the costs.
2. Breach Reporting. Every BAA should address how quickly Breaches of Unsecured PHI, Security Incidents, and other improper uses and disclosures of patient information will be reported to the healthcare provider following discovery by the business associate. Seeing as it involves the information of your patients and seeing as your patients trust you to protect their information, you will want to learn of the breach or incident as soon as reasonably possible. In that regard, I generally recommend no more than a 10-day notice period. The BAA should also specify what information will be provided in the notice, how the business associate will work with you to address the incident, and, with regard to a Breach of Unsecured PHI, who will be responsible for the costs of Breach notification and who will provide the Breach notification.
3. Timely Access. Business associates are required to provide healthcare providers with timely access to patient information (or related accounting information) to help facilitate a patient's request for access, request for amendment, or request for an accounting in accordance with HIPAA. However, BAAs can contractually require that business associates provide such access within specified time periods in order to allow the covered entity to provide a timely response to its patients. For example, covered entities must generally provide patients with access to requested health information within 30 days. Thus, the BAA should include that the business associate will provide the healthcare provider with access within at least 30 days, if not sooner. However, some healthcare providers aim to provide patients with access to information within, for example, 15 days. In such instances, the BAA will need to include a shorter timeframe to allow the covered entity adequate time to review the information provided by the business associate, format the information, and deliver the information to the patient within 15 days.
4. De-identification of Data. De-identified data is technically not protected by HIPAA. Thus, if business associates are allowed to de-identify the patient data provided by a healthcare provider, they can use the data for any purpose, including a purpose profiting the business associate. For that reason, many healthcare providers disfavor allowing their business associates to de-identify patient data. The idea being that if a healthcare provider is sharing patient information with a business associate in order for that business associate to perform a function or service on behalf of the healthcare provider, a function or service that the business associate is probably getting paid to perform, many healthcare providers have concerns about the business associate further using and profiting from their patient information. Thus, many healthcare providers require that business associates only de-identify data upon the healthcare provider's written consent or only allow the de-identification of data for limited purposes (e.g., data aggregation).
5. Choice of Law. As more and more states develop and expand breach notification requirements and the obligations surrounding the privacy and security of patient information, the choice of law provision in a BAA has become more important. For providers located in Alabama, you should always request Alabama as your choice of law---the location where the patient was treated and the location of the generation of the medical information.
BAAs contain additional provisions that may require review and negotiation, but these are my top five provisions to look for when reviewing BAAs. As the New Year gets underway, review your BAAs to make sure that they are up to date and remain in effect. If they need updating or have expired, keep in mind these provisions as you negotiate new documents.
Kelli Fleming is a Partner with Burr & Forman LLP and practices exclusively in the firm's Heath Care Practice Group.