Business Associate Agreements – What’s Normal?

It would be nice if all BAAs followed the same script.  The reality is no two BAAs are exactly alike, which can make it hard to tell what's normal and what's not.  

What's normal?  Years ago, regulators released guidance on terms that must be included in a BAA, including a template contract with sample language.  A normal BAA will follow the template and will cover the following general topics:

·      Restricting the use and disclosure of protected health information (a/k/a PHI) in your care

·      Using safeguards—i.e., physical, technical, and administrative protections—to prevent unauthorized use and disclosure of PHI in your care

·      Reporting breaches or attempted breaches of PHI  

·      Pushing the terms of the BAA down to any of your subcontractors who’ll have access to PHI

·      When the BAA is over, returning or safekeeping the customer’s PHI

What’s not normal?  If the BAA you’re looking at is more than 3 pages single-spaced, chances are it includes terms and conditions beyond what’s legally required.  And if you're on the business associate end of the BAA, extra terms should be negotiated.  Here are examples of common non-essential terms to be negotiated:

·      Indemnification. Learn more about what indemnification means here.

·      Non-PHI data.  A BAA is required to protect PHI against unauthorized use or disclosure.  Extending the same protections to broader categories (e.g., personally identifiable information or PII) may go too far.

·      Audit rights.  Requirement on you, as the business associate, to make your people, facilities, and systems available for auditing by your customer

Other variables – adding limitations of liability.  Limitations of liability are covered in depth here.  BAAs are contracts, and as with many contracts, there is good reason to dial in an appropriate limitation of liability.

 Other variables – adding requirements on the customer.  If you're the business associate, it’s fair to require the customer to hold up their side of the privacy fence as well (e.g., encryption specifications, SSL certificates, following their own written privacy policies, etc.).

Other variables – de-identified data.  Scrubbing personal identifiers from PHI to use it for analytics, research, or other purposes is considered a “use” of PHI.  Permission to de-identify the data must be written into the BAA or elsewhere in the agreement.  Regulators are very specific on this. 

Tripp Stroud