Header graphic for print
HIPAA, HITECH & HIT Legal Issues, Developments and Other Pertinent Information Relating To The Creation, Use and Exchange of Electronic Health Records

“Boilerplate” Provisions in Business Associate Agreements Warrant Attention

Posted in HIPAA Business Associates

Michael J. Coco writes:

The expanded requirements under the HIPAA Omnibus Rule for a Business Associate Agreement (“BAA”) has created an increase in volume and the need for analysis of such agreements, as individuals in industries traditionally unrelated to health care – such as IT vendors –find themselves confronting issues respecting a BAA. The increase in BAA’s has also generated an increase in articles and commentators opining on advisable BAA provisions. Most of these articles focus, as one would expect, on the functional aspects of the BAA. This “meaty” part of the BAA, however, is not the only important part of the agreement. Less frequently have commentators discussed “boilerplate” or “standard” provisions found in most contracts, including BAA’s.

In spite of the seemingly self-explanatory term given to these provisions, they are not always standard and, more importantly, not advisable in all circumstances. The BAA is similar to other contracts in that certain boilerplate provisions sometimes work in the favor of both parties, whereas other provisions may be unduly limiting or even detrimental to both parties, while some provisions favor the party that is the covered entity (“CE”) over the business associate (“BA”), or vice versa. In reviewing BAA’s, I have noticed that certain standard provisions, often tacked on to the end of the BAA, may be detrimental to both parties, and other standard provisions that should have been included were absent. Below is a list of some standard contract provisions and how they might operate in a BAA:

Choice of Law: This provision allows the parties to choose what law governs the contract. Although federal law governs the required content of a BAA, the actual interpretation of the contract, damage awards, and other substantive issues are governed by state law. As such, each party should request to use an applicable state law that will favor its position.

Jurisdiction and Venue: This standard provision requires the parties to litigate any claims under the BAA in a specific state and county. In most cases, as a matter of convenience and economy, each party to an agreement will want jurisdiction and venue to be in its respective home county. CE’s, however, should be mindful that a large HIPAA breach would be likely to reflect negatively on it within the community, even if the breach is legally attributable to actions or inactions of the BA. A CE should take this into consideration, along with its reputation in the community, when deciding to assign venue to its home county.

Force Majeure: Under contemporary contract law, a party is liable for a breach (in most cases) regardless of fault. A Force Majeure provision alleviates the harshness of this rule by eliminating liability for a breach where the action or omission that caused the breach was beyond the reasonable control of the breaching entity. Examples typically include floods, earthquakes, terror attacks and other events beyond the parties’ control. In a typical BAA arrangement, the BA has more obligations than the CE (often because the BAA was originally drafted by the CE). A CE, therefore, should carefully consider whether a Force Majeure provision will advance its interest. BA’s, on the other hand, will often benefit from a Force Majeure provision.

Indemnification: An indemnification provision requires the breaching party to act as an indemnitor to the non-breaching party, covering liability, costs and damages as a result of the breach. This provision often requires negligence on the part of the breaching party and may or may not be reciprocal. Because the CE more likely than not has more to lose than the BA, a reciprocal indemnity provision favors a CE more than a BA.  (A prior posting on this blog provided a list of ten items to contemplate if an indemnification provision is being considered for a BAA.)

Third Party Beneficiaries: A Third Party Beneficiary (“TPB”) is a person or group that claims rights under a contract to which the TPB is not a party. Because HIPAA does not create a private right of action, patients and other injured parties cannot use HIPAA directly to sue for damages. A BAA could, potentially, create a “backdoor” right to enable patients and other third parties to sue the CE and/or BA under a TPB theory. For that reason, both parties to the BAA should agree on and include a standard provision that excludes TPB from the contract.

These are just a few of the standard provisions in contracts, and parties should carefully consider including them in their BAA. Certain facts, updated regulations, state law peculiarities or other circumstances might alter the general rules discussed here.

[Michael Coco handles a range of corporate matters, focusing his practice primarily in the area of health law. As a former ER staff nurse and chemist, Michael has in-depth insight into such topics as FDA approval of medical devices as well as hospital compliance with federal and state laws and regulations, including privacy and security of health information and professional standards.]