April 2019
What’s Your Business Associate Agreement Strategy?
By Sarah Elkins
For The Record
Vol. 31 No. 4 P. 10
The subject of consternation and occasional confusion, these contracts play a leading role in compliance efforts.
It all began rather oddly.
“The business associate [BA] concept is a weirdness that came out of the first iteration [of HIPAA],” says John Christiansen, an attorney in private practice who has specialized in HIT law since before HIT was a thing, at least in modern terms. He recalls the early ’90s when everyone was working on mainframe computers and there were no health information laws to speak of.
Somehow Christiansen had an inkling that the health care space was about to become very interesting, so he hung around.
And then it happened: HIPAA arrived in 1996. With the act’s passage came, among many things, the problematic concept (read: weirdness) of BAs.
“If you allow a covered entity to give PHI [protected health information] to a services provider without regulating the services provider, the PHI has lost all of its protections. That’s where the business associate contract came up,” Christiansen says.
HIPAA had created a jurisdictional problem, and Christiansen spent those early years, as he says, “putting together agreed frameworks or agreed contract forms that everybody could look at and say, ‘OK, I understand this.’”
“In a lot of cases,” he adds, “people didn’t understand it but signed it anyway because lawyers and technology, at that time, were not a great fit.”
Fast-forward a few years. The HITECH Act came onto the scene, and things got more serious. Covered entities (CEs) were required to notify individuals, the media, and Health and Human Services when a PHI breach occurred. And, BAs were now swept under the Office for Civil Rights’ (OCR) jurisdiction. The onus no longer solely rested with CEs to ensure the privacy and security of PHI. That meant CEs and BAs shared equal responsibility to make sure they had a BA agreement in place.
The Art of the BA Agreement
“They are ubiquitous,” Kelly Hagan says of BA agreements. An attorney with Schwabe who, like Christiansen, has specialized in health care since the proverbial beginning, Hagan spends more time than he’d like to admit navigating BA agreements.
In the early post-HITECH days, Hagan says, “People were just looking to comply.” CEs and their BAs wanted to get the agreement signed and move on, but with increased concern about data breaches and liability, “there is now, and has been for quite some time, a lot of push and shove when it comes to drafting these agreements.”
Why all the pushing and shoving? “You want, as much as possible, to shift the liability,” says Chris Apgar, CISSP, president and CEO of Apgar & Associates, a privacy and security compliance consultancy. “If you’re the covered entity, you want the business associate to sign your business associate agreement.”
And, here’s the push. “My clients are mostly single organizations that serve many covered entities. If you’ve got a lot of business associate contract variation, that can become a nightmare to manage. You can’t, on a practical level, offer people the opportunity to have whatever business associate contract they want,” Christiansen says.
Organizations on both sides come to the negotiating table with agreements loaded with provisions that go beyond basic compliance in an effort to indemnify themselves, shift risk, or achieve other self-interested goals.
“There are common law indemnity principles one can use to recover what fairly ought to be someone else’s expense, but that never seems to be enough for most people. They want to have a contractual indemnity provision that reaches as far possible,” Hagan says.
“People are gun shy; they don’t want to be the headline,” Apgar says.
So Many BAs, So Little Time
As uniform as the rules are, BA agreements vary wildly. This costs everyone a lot of time. BAs looking to pick up new business will have a lot of agreements to comb through. On the other hand, CEs get bogged down in chasing the BA agreements they’ve issued, including getting them completed and returned.
“It gets frustrating on both sides,” Apgar says.
The frustration is avoidable though, according to Hagan. “It doesn’t take any time to come up with a compliant BA agreement. There is even an appendix with a compliant agreement at the OCR’s blessing attached to the rule. The time is spent working out these self-interested provisions where people are seeking to shift risk. That’s what takes the time,” he says.
Standardization of agreement templates would solve some of the strife. Christiansen, who has been working with the American Bar Association to move in that direction, agrees.
“The HITECH business associate bible was intended to drive standardization as much as possible, but that’s pretty limited for a number of reasons,” he says, adding that the business models that the agreements apply to are very different in scope. As a result, a one-size-fits-all template doesn’t adequately cover all business scenarios.
Christiansen, who himself is a BA, is a case in point. “I can’t enter into the same kind of business associate contract—or I shouldn’t anyway—that, for example, an electronic health records vendor might enter into. I can’t agree to provide access to the information in my records to the OCR. Whether or not I would do it in response to a regulatory inquiry, I can’t make a blanket promise that I will do so,” he says.
If the OCR was to make an inquiry, Christiansen would need to be able to resist the request to share information to protect attorney-client privilege. Although, he adds, “My suspicion from working with folks from OCR is they would probably say, ‘We get it.’ But, I would definitely have to resist it.”
Skip It, Forget It, or Deny It
Despite the potential of an OCR audit or a data breach, more organizations than one might guess are operating without a BA agreement in place. There are a few different reasons for that.
“Ignorance is the most common reason among smaller or less sophisticated entities,” Hagan says. “They may just not recognize the circumstance as one in which they need a BA agreement.”
The second reason is urgency. Oftentimes, an entity needs a quick fix. The EHR is on the fritz, there’s a glitch in the delivery system, or there’s some other time-sensitive problem. Work begins, PHI is disclosed, and both sides had every intention of signing the agreement. Then, “Someone will raise their hand in a meeting and say, ‘Oh, by the way, did we get a BA agreement with these people?’” Hagan says.
A third reason an entity may not have a BA agreement is because the vendor “flat refuses to characterize themselves as a business associate,” Hagan says, noting that this occurs more frequently ever since the HITECH Act made BAs directly accountable for compliance.
Similarly, Apgar recently had a vendor refuse to sign an agreement. A popular screen-sharing and online conferencing application touts its HIPAA compliance measures online, but will not enter into a BA agreement. For Apgar it was a no-brainer: “I went back to my client and said you need to find another vendor.”
While the best advice is to find a vendor who will comply, Hagan acknowledges sometimes that poses a challenge for a client. The vendor may be the only provider of a particular service, or the entity has already worked with the vendor in another context and wants to maintain the relationship.
“There are a lot of reasons why [a CE] might be inclined to overlook their responsibilities,” he says, but the consequences can be dire. In just the last two years, the OCR has prosecuted and settled several cases on the basis that there needed to be a BA agreement in place.
Christiansen offers a simple solution to those tough-to-get agreements: “You can simply default and have it exist and apply through online contracting. It isn’t a bad model.” Christiansen is referring to the online contracts that we have all agreed to, at one time or another, without reading.
More Rigor, Less Worry
Informed entities want to know what they can do to increase the rigor of their BA agreements. There is no short answer to that question—it often depends on the vendor in question.
“When you’re dealing with an Amazon Web Services or a Microsoft, I don’t care who you are, you’re not going to get someone to negotiate that,” Apgar says.
In most cases, however, a CE (or BA) can go a long way in ensuring the indemnification language is amenable. A CE may try to push liability to the BA, but the BA should seek mutual indemnification if possible.
It also is important to have a provision for contract termination. In short, this protects one party when the other is in major violation of the agreement. “If one party is in breach,” Apgar explains, “you may want to give them a couple days to figure it out, but if the violation persists you want the ability to terminate the contract.”
Additionally, ensuring incident response timelines are realistic will prevent an impossible situation down the road. “Some of the response times people are looking for in terms of reporting incidents, like one day, are grossly unrealistic,” Hagan says. “[Within that timeframe], you don’t have any idea what happened except that something bad happened.”
The amount of time allowed before an incident must be reported isn’t the only reporting factor to consider. Defining exactly what incidents will be reported is equally important. According to Christiansen, the definition of a security incident in the rule is “ridiculously broad.”
If counsel simply transcribes the regulation clause—something Christiansen has seen with annoying frequency—the client is obliged to track and report even insignificant security events. “This tends to come from law firms and lawyers that don’t know much about technology and don’t understand that that’s an issue,” Christiansen says.
Fortunately, the problem is disappearing thanks to “an industry standard clause that recites that the parties acknowledge that there are constant security events that are harmless,” Christiansen says.
Finally, Christiansen recommends that BA agreements include provisions that address all the regulatory requirements, regardless of whether they apply to the service provider’s business model. For example, if an EHR vendor is entering into an agreement with a hospital and the hospital doesn’t want the vendor responding to patient requests for health information, there still must be a provision addressing the agreed-upon protocol.
“Just because you don’t do that doesn’t mean you should omit the provision in the agreement,” Christiansen notes.
Beyond the BA Agreement
Getting a sound BA agreement in place isn’t the beginning or the end of the road. Even before a contract is signed, there’s work to be done. The OCR expects CEs to exercise due diligence. For large entities, this often means administering a SOC 2 Type II security audit.
Apgar recommends his clients take a look at their BAs and ask themselves, “Who’s the important business associate? Who supports a critical part of my operation? Or, who has lots and lots of my data? In those particular cases, it’s a good idea to send them a vendor security questionnaire on an annual basis,” he says.
Apgar emphasizes the importance of checking in with BAs periodically to ensure they remain compliant.
HIPAA Conduit Exception Rule
Occasionally, a vendor will balk at a BA agreement, making the argument that they are a conduit. The HIPAA Conduit Exception Rule creates an exception for service providers that transmit PHI without holding onto it or storing it for any amount of time.
“The original concept was intended to avoid having to regulate the US mail,” Christiansen says. “You really don’t want to try to force the Postal Service to sign business associate contracts with every physician practice in the world.”
Internet service providers (ISPs) fall under the purview of the exception rule as well, but the definition gets a bit muddy beyond there. Cloud vendors that store inaccessible encrypted backups are considered BAs, regardless of their similarity to ISPs. For example, neither service provider accesses the data in question.
“I was working with cloud service providers that were trying to figure out, ‘Can we accidentally become a business associate?’ The answer is yes, and that’s not a comfortable result,” Christiansen says.
Apgar has also encountered a client confused by its status. “They run a faxing service. They don’t keep the data longer than maybe 15, 20 days, but they may have to get at the data. They’re still a business associate,” he says.
To the extent that a CE misidentifies a service provider as a conduit when a BA agreement should have been in place, the entity will be held liable for noncompliance. However, even if a provider is truly a conduit, the CE is only as safe as its service provider is reliable.
“Sam’s Messenger Service may have some strapping young person on a bicycle with a satchel over his shoulder. They’re probably considered a conduit, but they may have varying levels of reliability. It may be there’s reason to doubt that Sam’s Messenger Service is a secure way to send PHI,” Hagan says.
If Sam’s Messenger Service causes a breach, the CE may not be contractually liable, but it’s still a practical problem.
No Silver Bullets
While having a BA agreement in place is necessary, it won’t necessarily keep all werewolves at bay. The agreement itself cannot ensure all parties are complying with the agreed-upon regulations. The agreement also may not anticipate a situation that ends in a civil settlement. However, it’s a small consolation that to date, no BAs have been involved in civil penalties or settlements.
“I imagine that will change,” Apgar says.
“Third-party claims are gaining attraction. Creative plaintiff’s attorneys are always coming up with ways to push the envelope,” Hagan adds.
In the meantime, the OCR’s template is a great place to start a compliance effort. However, despite having the blessing of the regulators, it’s no replacement for due diligence and sound legal advice.
— Sarah Elkins is a West Virginia–based freelance writer.