HIPAA

 View Only

Business Associate Agreement

  • 1.  Business Associate Agreement

    Posted 13 days ago
    Does anyone have a blank BAA template they could share with me?

    ------------------------------
    April M. Richardson, MSM, M.S.
    Director - Compliance & Performance Improvement
    Direct: 205.790.1334
    www.glenwood.org
    ------------------------------
    Default Blank


  • 2.  RE: Business Associate Agreement

    Posted 13 days ago
    Good Afternoon:

    Since I am a consultant I review a lot of BAA's. Because they are not documents belonging to my own organization I can not share them directly. However I can say the vast majority of them are modeled after the sample provided on the HHS website:

    When I say modeled after I should say taken verbatim from. 

    I have been to a lot of presentations by a lot of different attorneys and about half of them strongly recommend (or perhaps insist is a better word) that reasons for the business associate to access the covered entities PHI be specifically spelled out in the BAA and any other access use or disclosure be considered impermissible. The other half strongly recommend (or perhaps insist is a better word) that the business associate agreement refers to the contract when stating what access, use, or disclosure is permissible and not put it specifically in the BAA. Not being an attorney myself I will leave that fight up to those who are. 

    Hope this is helpful.
    -Alex- 



    Alexander I Slosman, MHA, CHC, CHPC



    Default Blank


  • 3.  RE: Business Associate Agreement

    Posted 12 days ago
    I think the HHS model BAA represents bare bones generic provisions that you will find in almost all BAA's. However, most BAA's have more provisions and are tailored specifically to the organization's risk tolerance. I would suggest consulting with an attorney in developing a model for your organization.

    ------------------------------
    Brenda Manning JD, CHC, CHPC
    Privacy Counsel
    Maximus, Inc.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    Default Blank


  • 4.  RE: Business Associate Agreement

    Posted 12 days ago
    To both Brenda and Alex,

    What are your thoughts or experience with adding or not adding an “indemnity statement”? I have seen it argued both ways.

    Hernan


    Default Blank


  • 5.  RE: Business Associate Agreement

    Posted 12 days ago
    First and foremost, I concur with Brenda.  You are drafting a legal contract that, if it is actually used between the parties, will be in the context of a dispute (or potential dispute).   Every organization should have its template in place, ideally drafted or reviewed/blessed by their counsel.   This is true especially if you practice in a state or jurisdiction that has passed, or will pass, some form of privacy law that gives individuals a private right of action or imposes additional duties.

    That being said, Alex is also right that the most basic requirements for HIPAA are in the HHS template.  And the more common use of a BAA would be demonstrating to the OCR that you had it in place in the event of a breach they end up investigating.

    To answer Herman's question, albeit not being Brenda or Alex ;-), indemnity is *less* of an issue these days now that OCR can/will go after BAAs for fines directly but if you are in a state or jurisdiction that adds additional monetary risk (fines or private rights of action) or if the amount of PHI being held by the BA is substantial, requiring all parties to bear the costs (suite, fines, mailings, forensic analysis, identity theft protection, counsel fees, etc.) arising from their own breach is, IMO, essential.

    ------------------------------
    Scott Intner
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    Default Blank


  • 6.  RE: Business Associate Agreement

    Posted 12 days ago
    Scott, 
    Any time you want to pretend to be me in this group, I would be honored. :) 
    Alexander I Slosman, MHA, CHC, CHPC



    Default Blank


  • 7.  RE: Business Associate Agreement

    Posted 11 days ago
    Yes, indemnifications is one of the provisions that I had in mind as something most organizations add to their BAA. In my experience it is often the most contested provision - typically by large BA's who are receiving a significant amount of PHI who try to significantly limit their liability to the amount of the contract. That's why to Scott's point it is important each organization develops their own template, decides which provisions they have wiggle room on and has someone experienced with BAA's doing the review and negotiation.

    ------------------------------
    Brenda Manning JD, CHC, CHPC
    Privacy Counsel
    Maximus, Inc.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.
    ------------------------------

    Default Blank


  • 8.  RE: Business Associate Agreement

    Posted 12 days ago
    When I see indemnity clauses added to the BAA most often it is the vendor supplying the BAA and the clause tightly limits the financial liability of the business associate. I strongly advise clients to discuss this with their attorney and be sure they understand what they are agreeing to. 

    Many times, especially for large vendors with a significant presence in the healthcare space, a vendor will say "It is our BAA or nothing and we do not modify our BAAs." 

    When indemnity clauses are more favorable to the covered entity, at least thoe ones I see, they tend to be included in the contract or other purchase agreement documents. 

    My, hopefully well thought out but admittedly lacking formal legal education, position is the BAA should address responsibilities for HIPAA compliance, other considerations are best left to the purchase and sales process. 

    That being said I would recommend all those issues be finalized before completing the purchase. Too many times I was brought in when something went wrong after the contract was in force. (Just my plug for including privacy at the beginning of the purchase process not when the paperwork is being signed).


    Alexander I Slosman, MHA, CHC, CHPC



    Default Blank


  • 9.  RE: Business Associate Agreement

    Posted 12 days ago
    Lots of good points, Alex.

    We insist on starting with our BAA template which specifically carves out indemnification issues related to privacy and HIPAA to the BAA and has it supersede anything the master agreement.  I can count on one hand the number of exceptions we've had to make in the last 5 years.

    Frankly, the biggest healthcare vendors are often easier to deal with on this because they have legal teams and people dedicated to the issue.   The problems have been with companies that are big, dominant and only tangentially work with healthcare.  SurveyMonkey, for example, insists on using their BAA and will only discuss modifications is you pay them to do so.   In those cases, you have to evaluate the risk to your PHI and what the cost of a breech would truly be.

    ------------------------------
    Scott Intner, JD, CHC, CHPC
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    Default Blank


  • 10.  RE: Business Associate Agreement

    Posted 12 days ago
    Thanks to Scott, Alex, and Brenda for this very good discussion on the BAA. Just more proof that there is always something to learn or review years after the initial implementation of the rule!

    Thanks again,

    v/r

    Hernan


    Default Blank


  • 11.  RE: Business Associate Agreement

    Posted 11 days ago
    Scott,

    How do handle situations when the vendor wants to only use their BAA?  We are running into this more frequently.

    ------------------------------
    Teresa Gonsalves, LSW, CHC
    Chief Compliance and Ethics Officer
    WCCHC
    Waianae, HI
    ------------------------------

    Default Blank


  • 12.  RE: Business Associate Agreement

    Posted 11 days ago
    It is is always a question of leverage:  who needs the other enough to bend?

    I let them know, honestly, that if we use my paper, we can typically resolve disputes over terms quickly.  Normally it is a single 15-30 minute phone call.  If they insist on using theirs, it may take me 6 weeks to complete my review of their documents but no promises.  The effort to not only review their language but figure out what isn't there isn't quick and requires uninterrupted time.  They normally see it my way. <shrug>

    Did have one go almost 6 months of dithering earlier this year (our guys weren't in a rush as this was being prepared as a backup plan).  Wasn't until they replaced their inhouse counsel that we made progress (and resolved it in under an hour).  To be fair, there were some very particular factors in that case (cloud-based storage provider) where the contract required us to only upload encrypted data so that they literally couldn't perform most duties a typical BAA requires of the BA.

    Bottom-line, like everything else we deal with, it is a risk-based calculus.

    - Scott

    ------------------------------
    Scott Intner, JD, CHC, CHPC
    Chief Compliance Officer
    GW Medical Faculty Associates
    Washington,DC
    ------------------------------

    Default Blank


  • 13.  RE: Business Associate Agreement

    Posted 12 days ago

    Well stated Alex!

    Cinda

    ******************************************* This message and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.



    Default Blank


  • 14.  RE: Business Associate Agreement

    Posted 12 days ago
    Thank you so much Mr. Slosman. I actually started my draft utilizing the one from the hhs.gov website.  I really appreciate your feedback.

    ------------------------------
    April M. Richardson, MSM, M.S.
    Director - Compliance & Performance Improvement
    Direct: 205.790.1334
    www.glenwood.org
    ------------------------------

    Default Blank