This Wisdom of the Crowd (ACC member discussion) is compiled from questions and responses posted by the IT, Privacy and eCommerce Network on their Forum. It addresses the use of indemnification provisions in Business Association Agreements (BAAs) in the United States.
(*Permission was received from ACC members quoted below prior to publishing their Forum Comments in this Wisdom of the Crowd Resource.)
Question: I am looking for insight to provide more context on industry standards regarding vendor Business Associates (BA) and the indemnification provisions in Business Association Agreements (BAAs).
If you are a business associate what do you typically do? When you receive push back, ultimately where do you end up finding middle ground?
And on the flip side, as a Covered Entity (CE), is this provision a deal breaker to have in the BAA? Also, do you negotiate mutuality? When you negotiate do you discuss the actual risk of how much protected health information (PHI) is actually transferred and the security around it? Or do you try to maintain consistency in your agreements regardless of the fact that risks change depending on who the BA is?
Wisdom of the Crowd: Response #1: I represent a business associate. We receive aggregate patient data from our customers, although we may receive some PHI, usually in the form of a limited data set. We have a limited role that falls under health care operations of the covered entity. We do have mutual indemnification in our BAA's and expect the covered entity to be responsible for not giving us PHI that we did not request or need for our services. Our indemnification covers any non-fulfillment of any undertaking on the part of the party under the BAA, and negligent or intentional acts or omissions on the party's performance under the BAA.1
Response #2: I represent a Business Associate. The BAA form that we receive from the client (a covered entity) ALWAYS has a provision under which the Business Associate must indemnify the Covered Entity:
"Business Associate agrees to indemnify, defend and hold harmless Covered Entity and its employees, trustees, members, medical staff, representatives, and agents (collectively, the "Indemnitees") from and against any and all claims (whether in law or in equity), obligations, actions, causes of action, suits, debts, judgments, losses, fines, penalties, damages, expenses (including reasonable attorney's fees), liabilities, lawsuits and/or costs incurred by the Indemnitees, arising or resulting from a breach of the terms and conditions of this Agreement [referring to the BAA] or a violation of the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) or HIPAA Regulations by Business Associate or its employees or agents."
And there often is an additional separate section requiring the Business Associate to be responsible for the costs of notifying patients and paying for credit monitoring service for one year, following an actual data breach.
Our counter-proposal always includes:
1. Making sure that the BAA has affirmative obligations for the CE;
a) Covered Entity shall notify the BA of any limitation in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect BA's use or disclosure of Protected Health Information.
b) Covered Entity shall notify BA of any changes in, or revocation of, permission by an individual to use or disclose Protected Health Information, to the extent that such changes may affect the surveillance information system's (SIS's) use or disclosure of Protected Health Information.
c) Covered Entity shall notify BA of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 C.F.R. 164.522, to the extent that such restriction may affect BA's use or disclosure of Protected Health Information.
d) Covered Entity shall obtain any consent, authorization or permission that may be required by the Privacy Rule or applicable state laws and/or regulations prior to furnishing to BA the Protected Health Information pertaining to an individual. Covered Entity shall not request that BA uses or discloses Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
(e) [I have proposed to add that the CE must encrypt all ePHI sent over a public network to reduce the risk that one of our employees get their ePHI in unencrypted email, but I get a lot of pushback. It becomes very frustrating that they want that level of care from us, but are not willing to hold their own workforce to that standard.]
2. Reciprocate the Indemnity; and:
a) Limit the indemnity to a comparative liability standard: ". . . arising or resulting from, and only to the extent of, a breach of the terms and conditions of this Agreement [or a violation of HIPAA, the HITECH Act or HIPAA Regulations] by Business Associate or its employees or agents."
b) Add following process: "The indemnifications provided in this Section are conditioned on (i) the indemnitee giving the indemnitor prompt written notice of such claim; (ii) the indemnitee providing its full cooperation in the defense of such claim, if requested by indemnitor and at indemnitor's expense; and (iii) the indemnitee not entering into any settlement or compromise in respect of such claim without the indemnitor's prior written consent, such consent not to be unreasonably withheld or delayed, unless the settlement includes an unconditional general release of the indemnified Party. Indemnitee may engage legal counsel to monitor, but not control, any such claim at indemnitee's expense."
c) Limit the liability with a carve-out for the indemnity: "EXCEPT FOR THE INDEMNIFICATION ABOVE (WHICH SHALL BE CONSTRUED AS ACTUAL DAMAGES), NEITHER PARTY SHALL BE LIABLE TO THE OTHER PARTY FOR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE ARISING UNDER THIS BAA, EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES."
d) Confirm that the BAA stands on its own, apart from the rest of the contract, with respect to remedies and limitations: "The terms of this BA Agreement are hereby incorporated into the Services Agreement. In the event of a conflict between the terms of this BA Agreement and the terms of the Services Agreement, the terms of this BA Agreement shall prevail. Business Associate's obligations hereunder shall not be subject to any limitations of liability or remedies in the Services Agreement. The terms of the Services Agreement which are not modified by this BA Agreement shall remain in full force and effect in accordance with the terms thereof." [though caution, we often have an arbitration clause in the main contract that we want to apply to BAA disputes, so we do not want dispute resolution addressed in the BAA.]
3. If the CE will not reciprocate the indemnity, then:
a) Replace the one-way indemnity with language that points to the mutual indemnity in the main agreement;
b) Propose to delete the indemnity (We have had minimal success with this one); or
c) As a last resort, revise the list of affirmative obligations that the CE can be able to make an argument that a breach of those triggers the right to actual damages that is close to what we would have gotten under the indemnity.2
Response #3: While this looks wonderful, and as a lawyer I can greatly admire the thinking that has gone into this set of points and counterpoints, and the transactional costs to do this contract by contract must be enormous. I would imagine that few BAs (or CEs for that matter) really have the resources to work these options out to this degree (or management that has the patience for this much work on what should be a routine transaction).3
Response #4: You would think that would be the case, but I actually have found that not to be true both from the CE side and BA side, which I have been on both. BAAs are really not routine, especially as BAs become more sophisticated and CEs are under the gun to protect PHI.
In our market where there is a BAA with every deal, it does use a lot of resources to negotiate each BAA, but even worse, there is no consistency. Each CE focuses on different areas of concern and all want to use their own BAA, which as the BA becomes really difficult to get consistency among agreements. We also are not in a position to lose a deal over a BAA, so many times we lack leverage to try and work towards consistency on our end with what terms we accept/reject. With the sheer volume of these agreements, it really puts BA's in a tough spot, because as you have stated, it would take a tremendous amount of resources to manage these agreements, when they should be routine, given what the intent is, to protect PHI.
Given lack of consistency and resources to manage the intricacies of each BAA, if something were to go wrong, we would have to look at the most stringent requirements and use that for notification times, etc., because there would be no way to sort through all of the BAAs and their requirements when working with a potential breach situation.
It seems like the community who uses BAAs would be better served by a standard template given we are working within extensive regulations anyhow. It would allow BAs and CEs to more efficiently understand and manage their responsibilities without having to spend resources negotiating each one and then tracking their compliance with that agreement.4
Response #5: Typically, I delete the indemnity and have all the indemnity clauses in one place-- the services agreement. With whatever cap(s) we put in place.
Alternatively, I narrow and cap. [I can make it mutual, but not as big of a priority as narrowing and capping.]
It is not one of the required provisions per the regulation. And the topic is covered in the services agreement. But BAAs (like many non-disclosure agreements (NDAs) that are not limited to pre-contract stage),work together with any agreements you have in place.
I try to keep the BAAs as close to the recommended BAA language on the Center for Medicare and Medicaid (CMS)/Department of Health and Human Services (HHS) website. The closer our BAA and/or the Covered Entity BAA is to that template, the easier and more streamlined it is to negotiate. I try to leave more of the negotiation for the services agreement.5
Response #6: I agree generally that the BAA should have the BAA terms in it and extraneous information is not necessarily helpful; however, as my company is the covered entity, I want the business associate to agree to things, like providing me information about an incident, that is not required as part of the regulatory language but which is naturally flowing from the business associate/covered entity relationship. I do not want to have the BAA reflect what specific services, etc., the business associate will perform for my company, but I do want the BAA to reflect the needs that I have with respect to that information, which may sometimes include indemnity and other reporting requirements, even though they are not required by the regulation.6
Response #7: Since there is no regulatory requirement to have indemnity in a BAA, the need for indemnity terms or other liability caps or shifts depends on what the BA is doing for the CE and the risk involved.7
Response #8: I have represented both BAs and CEs. I currently work for a well-known healthcare provider CE.
As a CE, we insist upon the use of our BAA template, which contains an admittedly broad and uncapped indemnity. With a handful of exceptions, it is a deal breaker for us to use a BA's template BBA or to remove the indemnity in our BAA template. As a CE we have great responsibility for our patients' PHI and great liability for any breach. It would create a moral hazard if we allow our BAs to limit their liability in any way or otherwise shift risk of a breach to us. Our BAs may not like it, but they typically understand that this is the "price of admission" in providing their products or services to the healthcare market in general and to us in particular. When I was on the BA side for vendors of healthcare products and services, we fairly quickly conceded and provided an indemnity in our BAAs (uncapped if necessary).
We do not provide a mutual indemnity. I do not know what benefit a mutual indemnity would provide a BA, when all of the obligations in a BAA run from the BA to the CE. I suppose we could if the CE agrees to affirmative obligations, but we do not do that.
When we negotiate BAAs, we do discuss risk, but we typically do not adjust our BAA based upon the risk (for consistency, but also because as mentioned we do not allow our BAs to shift risk to us for their breaches).
You did not ask, but another area where we are firm is in the timing of notices. This is for consistency and for compliance with state law (our BAA also covers state privacy law).
We have walked away/had vendors walk away from doing business over BAAs.
I am stating the obvious, but this all comes down to leverage. I am in the lucky position of working for a CE that BAs are typically willing to easily accommodate for the business with internal clients that are on the same page with respect to protecting the entity. If I worked for a CE with less leverage or less enlightened clients, I would likely have to accept some of the compromises you have suggested (caps, limited scope, etc.).8
1Anonymous (February 10, 2017)
2Anonymous (February 10, 2017)
3Anonymous (February 11, 2017)
4Anonymous (February13, 2017)
5Sarah Sederstrom, Senior Legal Counsel, Wunderman (February 10, 2017)
6Kerry Childe, Senior Corporate Counsel, Best Buy Co. (February 10, 2017)
7Lee Braum, Senior Corporate Counsel & Chief Compliance Officer, Evonik Corporation (February 10, 2017)
8Anonymous (February 14, 2017)