Presenting a live 90-minute webinar with interactive Q&A Structuring Indemnification Provisions in Business Associate Agreements Allocating and Transferring Risk in Healthcare Contracting THURSDAY, FEBRUARY 25, 2016 1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific Today’s faculty features: Matthew R. Fisher , Mirick O'Connell , Worcester , Mass. Rachel V. Rose, JD, MBA, Rachel V. Rose – Attorney at Law, PLLC , Houston The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions emailed to registrants for additional information. If you have any questions, please contact Customer Service at 1-800-926-7926 ext. 10 .
Tips for Optimal Quality FOR LIVE EVENT ONLY Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory, you may listen via the phone: dial 1-866-819-0113 and enter your PIN when prompted. Otherwise, please send us a chat or e-mail sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
Continuing Education Credits FOR LIVE EVENT ONLY In order for us to process your continuing education credit, you must confirm your participation in this webinar by completing and submitting the Attendance Affirmation/Evaluation after the webinar. A link to the Attendance Affirmation/Evaluation will be in the thank you email that you will receive immediately following the program. For additional information about continuing education, call us at 1-800-926-7926 ext. 35.
Disclaimer THE INFORMATION PRESENTED IS NOT MEANT TO CONSTITUTE LEGAL ADVICE. CONSULT YOUR ATTORNEY FOR ADVICE ON A SPECIFIC SITUATION. 4
Structuring Indemnification Provisions in Business Associate Agreements Matthew Fisher, JD mfisher@mirickoconnell.com Rachel V. Rose, JD, MBA rvrose@rvrose.com February 25, 2016 5
Overview • Intro to HIPAA and BAA Regulatory Requirements • Types of Indemnification Clauses & Their Impact on Other Contractual Provisions • Considerations for Attorneys and Other Professional Responsibility Issues • International Considerations • Practical Negotiation Considerations 6 6
Intro to HIPAA and BAA Requirements 7
Legislative History • 1996 -HIPAA (Public Law 104-191) – need for consistent framework for transactions and other administrative items. • 2002 – The Privacy Rule (Aug. 14, 2002) • 2003 – The Security Rule (Feb. 20, 2003) • 2009 - Health Information Technology for Economic and Clinical Health ( “ HITECH ” ) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (Feb. 17, 2009) • 2009 – The Breach Notification Rule (Aug. 24, 2009) • 2010 – Privacy and Security Proposed Regulations (Feb. 17, 2010) • 2013 – Omnibus Rule (Effective March 26, 2013, Compliance Sept. 23, 2013). 8 8
Business Associate A “ business associate ” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. ” Business associate includes: (i) A Health Information Organization, E- prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate. 9 9
KEY DEFINITIONS • Confidentiality – “ the property that data or information is not made available or disclosed to unauthorized persons or processes. ” • Integrity – “ the property that data or information have not been altered or destroyed in an unauthorized manner. ” • Availability - “ the property that data or information is accessible and useable upon demand by an authorized person. ” 10 10
Business Associate Agreement (“BAA”) • Covered entities may not disclose protected health information to business associates or allow BAs to use PHI unless the parties have executed a business associate agreement – Have to use reasonable efforts, but if can’t get. . . • BAs have same obligation to have agreement in place with subcontractors 11 11
What Is a BAA? • A contract. • Required under HIPAA. • Several items must be included – for example: – Establishment of permitted and required disclosures and uses – Non-disclosure of information – Appropriate safeguards – Breach notification • Require elements found in both Privacy and Security Rules 12 12
BAA Basics • How know when one is needed? – Will one party handle PHI for or on behalf of another entity? – Is a service being performed? • Covered Entity Considerations: – When in doubt, get one executed?? • Business Associates – Carefully consider situation, try not to be forced into signing unnecessarily 13
Is Indemnification Required in a BAA Under HIPAA? No. 14 14
Types of Indemnification Clauses & Their Impact on Other Contractual Provisions 15
What is Indemnification? • “ To save harmless; to secure against loss or damage; to give security for the reimbursement of a person in case of an anticipated loss falling upon him. Also to make good; to compensate; to make reimbursement to one of a loss already incurred by him. ” Cousins v. Paxton & Gallagher Co ., 122 Iowa. 405, 98 N- W. 277 . • Law Dictionary: What is INDEMNIFY? definition of INDEMNIFY (Black's Law Dictionary) 16 16
Types of Indemnification Provisions • Broad Form • Intermediate Form • Limited Form 17 17
The BAA, Indemnification and Additional Considerations Relationship between the parties. Type of indemnification. Has due diligence been done? Are the parties located internationally? Have state and international laws been considered? How does the indemnification clause impact arbitration and other related contracts? 18 18
Indemnification: Impact on and Interrelation with Related Provisions 19
Related Provisions • Stay away from agency relationship • Reallocation of breach responsibility • Limitation on liability • Insurance coverage • Don’t forget the underlying service agreement 20
HIPAA and Agency • HIPAA provides that a covered entity (or a business associate) will be liable under federal common law of agency • Then again, if an agent, may not be a business associate 21
HIPAA and Agency • What is an agent under federal law? – Determined by specific factual scenario – Can the covered entity (business associate) control the activities or conduct of the other party – what authority or obligations are being delegated – What skill is required to perform the services • What are avenues for control? – Just contract? General oversight? 22
Consequences of Agency • What happens if there is an agency relationship? – Could result in covered entity having more direct liability – Could go around the contract provisions – Harder to avoid liability • As a good practice, avoid falling into agency situation – Disclaim this type of relationship 23
Breach Notification • What are response obligations? – Is CE retaining full control? – Does the BAA assign notification or other actions to the BA? • What is required? – BA: notify CE, mitigate incidents and breaches – CE: provide notification to individuals (media and HHS, depending on circumstances) 24
Breach Notification • May require: – Indemnity for response costs – Indemnity for other costs associated with breach – Cooperation and assistance with mitigation, notification, more 25
Limitation on Liability • Some party may try to put cap on what it may owe • Apply only to specific costs? – Only breach response? – Cut out anything but direct damages? • i.e. no punitive, special, indirect, consequential, or other damages 26
Limitation on Liability • Other Considerations: – Disclaim for damages caused by subcontractors – Seek comparative fault: each party responsible only for what it caused 27
Insurance Coverage • Should insurance coverage be required? – General liability, cyber, privacy, other? • Can it be obtained? • If include, identify policy limits • Be aware of exclusions and conditions • Could indemnification invalidate? 28
Insurance Coverage • If include, consider: – Require CE/BA, as applicable, be named as additional insured – Ask for certificate of insurance and actually review – Being able to review and/or approve coverage • But be careful of exerting too much control – Require notification in advance of any change or cancellation – Tail coverage 29
Recommend
More recommend