The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Structuring Indemnification Provisions
in Business Associate Agreements Allocating and Transferring Risk in Healthcare Contracting
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
THURSDAY, FEBRUARY 25, 2016
Presenting a live 90-minute webinar with interactive Q&A
Matthew R. Fisher, Mirick O'Connell, Worcester, Mass.
Rachel V. Rose, JD, MBA, Rachel V. Rose – Attorney at Law, PLLC, Houston
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-819-0113 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can address
the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Disclaimer
THE INFORMATION PRESENTED IS NOT MEANT TO
CONSTITUTE LEGAL ADVICE. CONSULT YOUR
ATTORNEY FOR ADVICE ON A SPECIFIC SITUATION.
4
5
Structuring Indemnification Provisions in Business Associate Agreements
Matthew Fisher, JD
Rachel V. Rose, JD, MBA [email protected]
February 25, 2016
6
Overview
• Intro to HIPAA and BAA Regulatory Requirements
• Types of Indemnification Clauses & Their Impact on Other Contractual Provisions
• Considerations for Attorneys and Other Professional Responsibility Issues
• International Considerations
• Practical Negotiation Considerations
6
7
Intro to HIPAA and BAA
Requirements
8
Legislative History
• 1996 -HIPAA (Public Law 104-191) – need for consistent framework for transactions and other administrative items.
• 2002 – The Privacy Rule (Aug. 14, 2002)
• 2003 – The Security Rule (Feb. 20, 2003)
• 2009 - Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (Feb. 17, 2009)
• 2009 – The Breach Notification Rule (Aug. 24, 2009)
• 2010 – Privacy and Security Proposed Regulations (Feb. 17, 2010)
• 2013 – Omnibus Rule (Effective March 26, 2013, Compliance Sept. 23, 2013).
8
9
Business Associate
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.” Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.
9
10
KEY DEFINITIONS
• Confidentiality – “the property that data or information is not made available or disclosed to unauthorized persons or processes.”
• Integrity – “the property that data or information have not been altered or destroyed in an unauthorized manner.”
• Availability - “the property that data or information is accessible and useable upon demand by an authorized person.”
10
11
Business Associate
Agreement (“BAA”)
• Covered entities may not disclose protected health information to business associates or allow BAs to use PHI unless the parties have executed a business associate agreement
– Have to use reasonable efforts, but if can’t get. . .
• BAs have same obligation to have agreement in place with subcontractors
11
12
What Is a BAA?
• A contract.
• Required under HIPAA.
• Several items must be included – for example: – Establishment of permitted and required disclosures and uses
– Non-disclosure of information
– Appropriate safeguards
– Breach notification
• Require elements found in both Privacy and Security Rules
12
13
BAA Basics
• How know when one is needed?
– Will one party handle PHI for or on behalf of another entity?
– Is a service being performed?
• Covered Entity Considerations:
– When in doubt, get one executed??
• Business Associates
– Carefully consider situation, try not to be forced into signing unnecessarily
14
Is Indemnification Required in a
BAA Under HIPAA?
No.
14
15
Types of Indemnification
Clauses & Their Impact on Other
Contractual Provisions
16
What is Indemnification?
• “To save harmless; to secure against loss or damage; to give security for the reimbursement of a person in case of an anticipated loss falling upon him. Also to make good; to compensate; to make reimbursement to one of a loss already incurred by him.” Cousins v. Paxton &
Gallagher Co., 122 Iowa. 405, 98 N- W. 277.
• Law Dictionary: What is INDEMNIFY? definition of INDEMNIFY (Black's Law Dictionary)
16
17
Types of Indemnification
Provisions
• Broad Form
• Intermediate Form
• Limited Form
17
18
The BAA, Indemnification and
Additional Considerations
Relationship between the parties.
Type of indemnification.
Has due diligence been done?
Are the parties located internationally?
Have state and international laws been considered?
How does the indemnification clause impact arbitration and other related contracts?
18
19
Indemnification:
Impact on and Interrelation with Related Provisions
20
Related Provisions
• Stay away from agency relationship
• Reallocation of breach responsibility
• Limitation on liability
• Insurance coverage
• Don’t forget the underlying service agreement
21
HIPAA and Agency
• HIPAA provides that a covered entity (or a business associate) will be liable under federal common law of agency
• Then again, if an agent, may not be a business associate
22
HIPAA and Agency
• What is an agent under federal law?
– Determined by specific factual scenario
– Can the covered entity (business associate) control the activities or conduct of the other party
– what authority or obligations are being delegated
– What skill is required to perform the services
• What are avenues for control?
– Just contract? General oversight?
23
Consequences of Agency
• What happens if there is an agency relationship?
– Could result in covered entity having more direct liability
– Could go around the contract provisions
– Harder to avoid liability
• As a good practice, avoid falling into agency situation
– Disclaim this type of relationship
24
Breach Notification
• What are response obligations?
– Is CE retaining full control?
– Does the BAA assign notification or other actions to the BA?
• What is required?
– BA: notify CE, mitigate incidents and breaches
– CE: provide notification to individuals (media and HHS, depending on circumstances)
25
Breach Notification
• May require: – Indemnity for response costs
– Indemnity for other costs associated with breach
– Cooperation and assistance with mitigation, notification, more
26
Limitation on Liability
• Some party may try to put cap on what it may owe
• Apply only to specific costs?
– Only breach response?
– Cut out anything but direct damages?
• i.e. no punitive, special, indirect, consequential, or other damages
27
Limitation on Liability
• Other Considerations:
– Disclaim for damages caused by subcontractors
– Seek comparative fault: each party responsible only for what it caused
28
Insurance Coverage
• Should insurance coverage be required?
– General liability, cyber, privacy, other?
• Can it be obtained?
• If include, identify policy limits
• Be aware of exclusions and conditions
• Could indemnification invalidate?
29
Insurance Coverage
• If include, consider:
– Require CE/BA, as applicable, be named as additional insured
– Ask for certificate of insurance and actually review
– Being able to review and/or approve coverage
• But be careful of exerting too much control
– Require notification in advance of any change or cancellation
– Tail coverage
30
The Service Agreement
• Don’t forget, the BAA attaches to a Service Agreement
– Does not exist in isolation
• What terms are in the Service Agreement?
– Limitation of Liability?
– Indemnification?
– More
• Which agreement (Service or BAA) controls?
31
Considerations for Attorneys and
Other Professional Responsibility Issues
32
Indemnification and Lawyers’
Professional Rules of Responsibility
• Some states do not allow it (North Carolina, New York, Illinois, Indiana, Kansas, Missouri, Arizona and Florida)
• Is the party a non-profit or for-profit? • Request a formal ethics opinion
– Found in State Bar ethics opinions - NYC Bar Association Ethics Opinion 2010-3 http://www.abcny.org/nycbar/index.php/ethics/ethics-opinions-local/2010-opinions/844-settlement-agreements-requiring-the-financial-assistance-of-counsel
– Under the New York Rules of Professional Conduct, attorneys signing hold harmless agreements along with their clients is a violation of Model Rules 1.8(e), possibly creating a conflict of interest. In addition, it is in violation of NY Model Rule 1.7(a).
32
33
To Include or Not To Include…
• Factors to address when considering an indemnification provision Who are the parties?
What are the relevant state laws?
How have the parties’ HIPAA compliance been evaluated?
What third parties could impact the contract?
Will a breach of a BAA provision cause harm?
34
Who are the parties and where are
they doing business?
35
Recovery of Attorney Fees
Long v. Abbruzzetti, 254 Va. 122, 128 (1997).
("[W]e recognized that, in the absence of contractual or statutory liability, attorneys' fees incurred in present or previous litigation between the same parties generally are not recoverable. However, we also stated that when a breach of contract has forced a plaintiff to maintain or defend a suit against a third person, the plaintiff may recover reasonable attorneys' fees incurred by him in the former suit.")
36
International Considerations
37
International Issues
• The reach of the U.S. Department of Justice.
• Venue, forum and arbitration clauses.
• ISO standards.
• The laws of other countries.
• Legal consequences (e.g., criminal and civil) of breaches outside the United States.
• Where is my data?
38
Best Practices for
Negotiating and Structuring
Indemnification Provisions
38
39
Best Negotiating Practices
• Who do you represent? – Covered entity?
– Business Associate?
– Subcontractor?
• What is the level and/or nature of risk?
• What is your client’s goal?
• What role will each party play?
• Who is likely to sue?
39
40
Negotiations
• Terms very often depend on each organization’s size
41
Covered Entity Considerations
• What is important from CE’s perspective? – What services are being provided?
– What is the extent of information being shared?
– Confidence in business associate
– Utilize “standard form” for all business associate agreements?
– What extent of damages want covered?
– Level of sophistication of both parties
41
42
More Covered Entity
Considerations
• Could indemnity provision boomerang because of state law?
• Is there a limitation or cap on the amount of damages that can be recovered?
43
Business Associate
Considerations
• How much leverage can the BA exert?
• Seek mutual obligation?
• Put limit on any indemnification provided?
• Other responsibilities? – i.e. professional obligations depending on type of BA
• Put pressure on CE by proposing own form BAA
• How handle a subcontractor?
43
44
Specific Business Associate
Issues
• Lawyer as BA – What professional responsibilities apply?
– Could there be an ethical conflict?
– Are you negotiating with a client over a BAA that you prepared?
– How much can you negotiate with a client?
45
Specific Business Associate
Issues
• CE as a Business Associate – Yes, this can happen
– Is the CE willing to be treated the same way that it treats its BAs?
– What terms has the CE been willing to accept from its BAs?
46
Specific Business Associate
Issues
• Hybrid Entities – Is the entire entity on the hook for the terms of the BAA?
– Can indemnification be limited to certain resources of the hybrid entity?
47
Structural Considerations
• Impact on and of liability insurance
• Can other parties benefit
• Is the indemnification provision consistent with public policy
• Mutuality
• Limit on damages
• Scope of actions covered
47
48
Structural Considerations
• Carve outs for certain acts
• What is the reality that a party can meet the indemnification obligations
• General limitation of liability necessary?
• Leave out altogether?
48
49
Questions and Contact Information
Matthew Fisher, JD, Associate Mirick, O'Connell, DeMallie & Lougee, LLP
508-929-1648
Rachel V. Rose, JD, MBA Rachel V. Rose – Attorney at Law, PLLC
Attorney at Law, PLLC [email protected]
713-907-7442
49