As a start-up tech company, you’ve likely poured hundreds of hours into the development and testing of a marketable product, and have pitched your idea to countless investor groups and prospective customers. After your product is launched and customers are being signed up, a whole new set of concerns will present themselves. For start-ups targeting customers in the healthcare industry, these concerns will likely include the adoption of critical compliance and risk mitigation protocols mandated by HIPAA for the so-called “Business Associates” of “Covered Entities.”
Is your start-up a Business Associate?
The Omnibus Health Insurance Portability and Accountability Act (HIPAA) has been in place for over two decades, and helps to protect the rights of patients and the privacy of their medical records. Until now, your only interaction with HIPAA may have been as a patient asked to acknowledge the privacy practices of your own doctor. However, as a vendor selling technology in the healthcare space, you will be considered a partner or “Business Associate” of your customers if they are “Covered Entities” under HIPAA and will be sharing the protected health information (“PHI”) of their patients with you.
Some examples of business associates (BA) include electronic health record providers, cloud providers, mobile app developers, practice management SaaS and consultants; essentially, any person or entity that who creates, receives, maintains or transmits PHI while providing services on behalf of a covered entity (e.g., a physician, hospital or health care plan). In addition, if your company is a subcontractor of a Business Associate, you will most likely be considered a BA, too.
It is important to determine if you meet the criteria of a BA before agreeing to enter into a business associate agreement with your covered entity customer since the obligations and potential liabilities of business associates are significant.
What are the obligations of a Business Associate?
A business associate’s obligations under HIPAA generally come from two sources: the HIPAA rules themselves and the business associate agreement. Under HIPAA, a business associate must take certain prescribed steps to protect PHI and is also required to self-report HIPAA breaches to covered entities, among other obligations. Violations of these rules not only carry significant civil and criminal penalties, but can also have a devastating impact on a start-up’s ability to attract future business.
A business associate agreement also imposes responsibilities on a BA. This agreement is typically separate from the primary service contract between customer (covered entity) and vendor (business associate), and is intended to satisfy HIPAA-imposed requirements, as well as divide responsibilities and liability between the parties. Start-ups should be aware that not all business associate agreements (“BAA”) are alike. Although most agreements are fairly standard across organizations, Covered Entities may try to add additional terms or impose obligations on a BA that are not mandated by the HIPAA regulations.
HIPAA-mandated terms in a Business Associate Agreement
Certain provisions in a BAA are non-negotiable, including the following obligations imposed on the Business Associate relating to:
- Safeguarding PHI: the BA must implement appropriate safeguards to prevent the unauthorized use or disclosure of information, including safeguards relating to electronic PHI under HIPAA’s Security Rule
- Subcontractors: the BA must ensure that any subcontractor it may engage on its behalf that will have access to PHI agrees to the same restrictions and conditions that apply to the BA itself
- Reporting Unauthorized Use: the BA is required to report to the Covered Entity any use or disclosure of PHI not permitted under the contract, including incidents that constitute breaches of unsecured PHI
- Disclosing PHI: the BA must provide PHI when necessary to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their records, or when needed for amendments or requests for an accounting of disclosures.
- Assisting with Covered Entity’s Compliance: the BA is expected to make available to the Department of Health and Human Services (HHS) its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of, the covered entity for the purpose of determining the covered entity’s own compliance with HIPAA
- Destroying PHI upon termination: upon termination of a BAA, the BA is required, if feasible, to return or destroy all PHI received from, or created and received by the business associate on behalf of, the covered entity, or if return or destruction of the PHI is infeasible, to maintain the PHI in accordance with the terms of the BAA even after termination of the relationship.
Negotiated terms in a Business Associate Agreement
Start-ups should pay close attention to the following areas in a BAA where a Covered Entity could propose terms which are less favorable to the Business Associate:
- Notice Requirements: There are several places in a BAA which set timeframes around reporting known breaches or security incidents, as well as for responding to requests from covered entities for access to PHI or simply for an accounting of any disclosures made by a business associate to an individual. Because a covered entity may attempt to shorten these timeframes from what is required under HIPAA, the BA should review carefully any place in the business associate agreement where notice obligations are included to avoid accepting terms which may be burdensome, or in some cases, impossible to comply with.
- Indemnification Clauses: Indemnification is the concept through which the party at fault is responsible for paying the expenses, costs, fines, penalties and losses that the other party incurs. Although HIPAA does not require the inclusion of indemnification clauses in BAAs, most covered entities will include them, and very often, they are one-sided. Start-ups should to try strike these clauses all together, or at a minimum, negotiate more balanced indemnity clauses and/or narrow their applicability to only cases involving a breach of PHI. Also, BAs should seek to limit their exposure to the amount of actual and direct costs incurred by a covered entity.
- Limitation on Liability: Business associate agreements are typically accompanied by an underlying service agreement between the BA and Covered Entity. A startup may include limitation on liability language in their customer service agreement, but this protection could be lost if a Covered Entity includes a provision in the BAA which nullifies any limitation of liability in the event of a breach of the BAA. This is another area where the BA should seek to negotiate a compromise.
- Audit Rights: Although HIPAA requires BAs to make its books and records available to the Department of HHS for audit purposes, it does not require the BA to grant the same access to the covered entity.
Outside GC is happy to assist your company with the review of Business Associate agreements or to answer any other HIPAA-related questions. Please feel free to contact Marni Levitt at email@example.com or contact us via our website.
Marni Levitt is a Member of Outside GC's Boston-based team. She brings over twenty years of experience practicing health care and hospital law, with a focus on healthcare regulatory compliance, HIPAA and privacy-related matters, and general contracts review, including Business Associate Agreements. Marni can be reached at firstname.lastname@example.org or 508-561-4306.