As a start-up tech company, you’ve likely poured hundreds of hours into the development and testing of a marketable product, and have pitched your idea to countless investor groups and prospective customers. After your product is launched and customers are being signed up, a whole new set of concerns will present themselves. For start-ups targeting customers in the healthcare industry, these concerns will likely include the adoption of critical compliance and risk mitigation protocols mandated by HIPAA for the so-called “Business Associates” of “Covered Entities.” Is your start-up a Business Associate? The Omnibus Health Insurance Portability and Accountability Act (HIPAA) has been in place for over two decades, and helps to protect the rights of patients and the privacy of their medical records. Until now, your only interaction with HIPAA may have been as a patient asked to acknowledge the privacy practices of your own doctor. However, as a vendor selling technology in the healthcare space, you will be considered a partner or “Business Associate” of your customers if they are “Covered Entities” under HIPAA and will be sharing the protected health information (“PHI”) of their patients with you. Some examples of business associates (BA) include electronic health record providers, cloud providers, mobile app developers, practice management SaaS and consultants; essentially, any person or entity that who creates, receives, maintains or transmits PHI while providing services on behalf of a covered entity (e.g., a physician, hospital or health care plan). In addition, if your company is a subcontractor of a Business Associate, you will most likely be considered a BA, too. It is important to determine if you meet the criteria of a BA before agreeing to enter into a business associate agreement with your covered entity customer since the obligations and potential liabilities of business associates are significant. A business associate’s obligations under HIPAA generally come from two sources: the HIPAA rules themselves and the business associate agreement. Under HIPAA, a business associate must take certain prescribed steps to protect PHI and is also required to self-report HIPAA breaches to covered entities, among other obligations. Violations of these rules not only carry significant civil and criminal penalties, but can also have a devastating impact on a start-up’s ability to attract future business. A business associate agreement also imposes responsibilities on a BA. This agreement is typically separate from the primary service contract between customer (covered entity) and vendor (business associate), and is intended to satisfy HIPAA-imposed requirements, as well as divide responsibilities and liability between the parties. Start-ups should be aware that not all business associate agreements (“BAA”) are alike. Although most agreements are fairly standard across organizations, Covered Entities may try to add additional terms or impose obligations on a BA that are not mandated by the HIPAA regulations. HIPAA-mandated terms in a Business Associate Agreement Certain provisions in a BAA are non-negotiable, including the following obligations imposed on the Business Associate relating to: Negotiated terms in a Business Associate Agreement Start-ups should pay close attention to the following areas in a BAA where a Covered Entity could propose terms which are less favorable to the Business Associate: Outside GC is happy to assist your company with the review of Business Associate agreements or to answer any other HIPAA-related questions. Please feel free to contact Marni Levitt at [email protected] or contact us via our website. Marni Levitt is a Member of Outside GC’s Boston-based team. She brings over twenty years of experience practicing health care and hospital law, with a focus on healthcare regulatory compliance, HIPAA and privacy-related matters, and general contracts review, including Business Associate Agreements. Marni can be reached at [email protected] or 508-561-4306.
What are the obligations of a Business Associate?
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.