How to Draft Better Business Associate Agreements in Six Steps

Key Takeaways:

• Federal agencies with HIPAA oversight provide helpful resources when creating BAAs–start there, but don’t stay there.
• Signal in the services agreement the existence or non-existence of a BAA to save work for your client.
• Don’t get so focused on meeting the regulatory requirements that you lose sight of how the BAA or related services agreement limits your remedies under the BAA.

Business associate agreements (or “BAAs”) are HIPAA-required, healthcare-related contracts that govern the sharing, use, protection, and return of protected patient information.  HIPAA refers to this patient information as “protected health information” or “PHI”.

When a HIPAA covered entity contracts with a third party for necessary services (think legal, accounting, IT, etc.) and those services will require the service provider to use or disclose PHI on behalf of the covered entity, HIPAA considers the service provider to be a “business associate” under HIPAA.

In those instances, HIPAA requires the parties to sign a BAA, in addition to whatever contract the parties have signed for the specific services (the “underlying service agreement”).  Here are six drafting considerations to keep in mind when creating a BAA template for your organization.

1. Start with a reliable template.

The United States Department of Health and Human Services (HHS), the federal agency that oversees the implantation and enforcement of HIPAA, provides sample BAA provisions that are a good starting point. These provisions highlight the clauses that are mandatory to include in a BAA and make a great framework if you’re new to preparing BAAs because you will know that your BAA will satisfy regulatory requirements. The more you familiarize yourself with these BAA provisions and other BAAs, the more you’ll want to build upon this framework to better tailor it to the needs of your client.

HIPAA also specifies minimum terms that need to be included in every BAA. See 45 CFR § 165.504(e). This also serves as a useful checklist when reviewing or preparing a BAA.

2. Determine where to attach or include the BAA.

BAAs usually present themselves in one of three forms. These options are described below along with considerations that may help you determine which option may be best suited to the situation.

Option 1: As an attachment or schedule to the underlying services agreement.  This option has the obvious benefit of having everything together in one document–nice and tidy. Depending on the covered entity’s approach to CLM, this may be the preferred option.

Option 2: As a separate contract in addition to the underlying services agreement giving rise to the BAA. While not as simple as option one, this approach has several other benefits that a covered entity may find beneficial.   

One benefit is that if the covered entity is the subject of a regulatory audit or investigation, then you’ll want to make the auditor or investigator’s job easier. Not having to flip through service agreements to isolate BAAs can save time, frustration, and cost.

Similarly, if the signed BAA ever needs to be provided to a third party, say in response to a subpoena or discovery request or an HHS investigation or audit, using a separate BAA means you won’t also automatically be providing the underlying services agreement. It will still likely be requested, but that’s different than providing information that was not requested.

If using option two, you can set the covered entity up for success by signaling the existence of a separate BAA in the underlying service agreement. For instance, in the section of the underlying services agreement discussing privacy and security requirements, the final sentence can say (in bold): “A separate business associate agreement has been signed for this purpose”. This signals to anyone who looks at the contract during its lifespan that a separate BAA exists. 

Option 3: Included as a section within the main body of the underlying services agreement. You may see this done on occasion. This approach shares a similar benefit to option one – everything is in one place. However, unlike option one, the process of redlining the underlying service agreement can be more complicated when you’ve essentially put a contract (the BAA) within a contract (the underlying service agreement). Think about the potential for missed cross-references, or unintentionally removing a key section. Also, in the event of an audit or investigation, having BAA provisions within the body of the contract can be less obvious than an attachment or separate freestanding agreement. In other words, with option three, you get some of the benefits of option one and none of option two. For that reason, this approach isn’t recommended when you’re preparing a BAA.

Whether you represent the covered entity or the business associate, if you need to use the opposing party’s BAA, and they utilize an option different than you’d prefer for your client, it may be worth a conversation with their counsel as to whether another option would better suit the parties. Specifically, if you represent the covered entity, even in situations where there can be a clear imbalance of leverage when it comes to the underlying services agreement (think SaaS contracts), the covered entity may still have some ability to control the structure of the BAA given the fact that while they’re not the service provider, it’s their patient’s PHI.

3. Consider termination provisions in the BAA.

The Centers for Medicare and Medicaid Services (CMS)-approved BAA provisions have the BAA terminating either (1) at a specified date, or (2) for cause. However, as most of the aspects of the relationship between the covered entity and business associate will be governed by the underlying service agreement, a covered entity would not usually want the BAA to terminate before the underlying agreement or vice versa.

To prevent that, consider adding a third termination option to allow the BAA to terminate if parties terminate the underlying service agreement. To do that, cross-reference and define any underly agreement(s) and specify in the BAA that it is coterminous with the underlying agreements. For example, “The term of this Agreement shall run concurrently with any Underlying Agreements and will terminate without any further action of the parties upon the termination of all such Underlying Agreements” That way, when the underlying agreement is canceled, the business associate’s obligations for PHI upon termination of the BAA automatically go into effect.

4. If a BAA is not required, say so.

There are some instances where a BAA might be required but for a regulatory exception, such as agreements between two covered entities if the purpose of the shared information is to provide treatment. See 45 CFR 164.501. An example would be where a surgery center contracts with a surgical group to perform surgeries at the center, and any PHI the surgical center shares would be for the purpose of the surgical group treating a patient. Here, a BAA would not be required. If you’re preparing a service agreement for a covered entity, and a BAA is not required, state that in the contract along with the specific regulatory exception. It can be hard to understand when a BAA is not needed, so it’s not uncommon for people to presume a BAA is required every time a covered entity signs a contract. By specifying why a BAA isn’t required, you don’t leave it to chance that someone will wonder if a BAA was signed and waste time looking for one, or call you upset that they don’t have one.

5. Watch out for the Limitation of Liability Language.

CMS does not require business associates to indemnify covered entities. Nor does CMS prohibit business associates from limiting their liability to covered entities. Both can be negotiated between the parties. When doing so, take note of how indemnities and limitations of liability in the underlying service agreement can impact the BAA.

For example, if the underlying service agreement places a limitation of liability at $5,000 and the agreement also says that the BAA is “attached to and incorporated into this agreement by reference”, the business associate could argue that its liability for a massive data breach under the BAA breach is capped at $5,000. The same could be said for a separate BAA when the services agreement specifies that a liability cap applies to any liability “arising from or related to” the services provided under the services agreement.

If you represent the covered entity you will want to add language excluding breaches of the BAA from this cap. Alternatively, you could request a super cap for data breaches, so that all indemnities would be subject to this $5,000 cap, except breaches of the BAA, which would still be capped, but at a higher, predetermined amount.

6. Don’t Forget About Indemnities and Cyber Risk Insurance.

HIPAA doesn’t require business associates or covered entities to carry cyber risk insurance. However, it’s a good thing to have and a good thing for covered entities to require their business associates to have.

Many large companies will likely already have this in place, as it’s becoming an increasingly common type of coverage. For smaller business associates, it’s important to help them understand that the cost of a HIPAA breach can go into the millions of dollars. Also having cyber risk coverage in place in advance can help the covered entity determine whether to enter a service contract.

These six drafting considerations are only some possible additions to any BAA. Start here and add these to your template for easier drafting in the future.