This section of the
contract identifies the following:1) the parties; 2) the parties' principal place of business; and 3) the
specific type of business that the parties are engaged in. It also provides a brief summary as to why the
parties are entering into a binding agreement. In short, it sets the stage for the remainder of the
Wherever possible, it is
usually best to define terms of art in a definitions section so that parties are clear as to their meaning, or
at a minimum, may question a particular definition. For the most part, this type of contract should define
terms of art according to their regulatory definition, and therefore, there should be little disagreement
between the parties as to what a term means.
It is anticipated, as between any two parties, that there will be additional terms that should be specified in
this section. If there is a statutory or regulatory definition that is on point, then clearly that is the
definition to be used. Where a term of art is not defined in a statute or regulation then it is preferable, where
available, to use an authoritative definition that is widely accepted in your particular area of the healthcare
industry. Barring the availability of a statutory, regulatory or industry definition, you should provide clear and
succinct definitions for terms that are used in multiple contractual clauses or sections, both for consistency, and
for ease of subsequent interpretation by a government agency or a court of law.
Obligations and Activities of Business Associate Section
The following two
sections comprise the substantive aspects of the BA's duties. They identify the covenants and conditions that
pertain to the BA. These covenants and conditions are, for the most part, based on statutory and/or regulatory
requirements, but not all. The contract will have to make some assumptions as to what may be “reasonable”
where the respective statutes and regulations do not provide a fixed requirement. Reasonableness is in the eye
of the beholder, and its precise definition will ultimately be determined by a court of law, therefore,
special attention should be paid to what is provided for therein.
Under HITECH Section 13401, BAs are now
directly required by statute, and by the corresponding regulations, to comply with the HIPAA Security Rule ("SR"). However, CEs should
consider making compliance with the HIPAA
Security Rule a contractual requirement as well, for the following reasons: 1) it
allows the CE to sue "on the contract" if a BA violates the SR; and 2) it deals
contractually with the issue of international BAs, who are not subject to U.S. law.
Section 13402(b) of the HITECH Act mandates that a BA notify a CE if there
is a breach of unsecured PHI.
According to recent (April 2009) HHS guidance, unsecured PHI is protected health
information that is not secured in a manner that renders it “unusable, unreadable or indecipherable.” For all practical
purposes this means PHI that has not
been encrypted as per technologies that HHS indicates will produce the desired result.
There are additional HITECH specific
requirements that must be included in the contract, including but not limited to: 1) Breach Notification requirements; and 2) Accounting Disclosure requirements. Furthermore, the
contract should specify the "manner and format" in which this information should be provided by the BA to the
Permitted Uses and Disclosures of Business Associate Section
This section enumerates
the permitted uses and disclosures of PHI that
a BA is authorized to perform under the contract.The contract clauses contained here are, for the most part,
common sense provisions that state that a BA is free to use or disclose PHI in
a manner necessary to perform its services (the term “services” is being used here in its broadest sense and
encompasses a “product” as well). Such use of PHI is
permitted in the prescribed manner as long as the BA does not violate: 1) the contract; 2) the Privacy Rule; and 3) the relevant
provisions of the HITECH Act.
This section also usually contains a contract clause that pertains to a BA that provides Data Aggregation Services (“DAS”) on
behalf of one or more CEs. Such services are allowed under the regulations but only if the DAS pertains to Health Care Operations (“HCO”). See 45
CFR §164.504(e)(2)(i)(B). In short,
DAS may be provided by a BA as
long as these services are restricted to HCO. The health care community is becoming
increasingly interested in DAS because these services have the potential of providing information that can
simultaneously reduce costs and improve the delivery of care.
Clearly, given the increased demand, there are a number of BAs (e.g. software vendors) that are eager to fill
this market need. However, caveat emptor applies in
this case, as it does with any BA relationship (i.e. from the perspective of the CE). The
BA must ensure that DAS are
provided in a manner that does not expose PHI to CEs
that should not be seeing it. It is a non-trivial security challenge to do this when the
entire objective of DAS is
to collect data from multiple CEs and then disseminate that data in a way that provides value to all
participating entities. It is the CE that must perform the required due diligence to ensure that a BA has the
processes and technologies in place to deliver on the promise.
Obligations and Activities of Covered Entity Section
It is clear, once
you review one of these contracts (from the size of the “obligations” section of each respective entity), that
these contracts are, by definition, CE
centric. This is a reflection of the fact that it is ultimately the CE that “owns” the
relationship with the patient (i.e. from the perspective of the applicable laws and regulations and as a
practical matter), despite the relative negotiating strengths between any specific CE/BA pair. It is certainly
not (usually) an attempt on the part of the drafters to overly burden the BA with additional covenants and
Contract clauses in this section state that the CE has a continuing affirmative duty to notify the BA of
provisions and limitations of its privacy notice and practices to the extent that said provisions and limitations
may have an impact on the uses and disclosures a BA is permitted to make under the contract, and under applicable
law. See 45 CFR §164.520.
As a practical matter, this means that a CE should provide its privacy notice to all its BAs and, where
appropriate, highlight specific provisions and limitations that may impact a particular BA. Given the quickly
evolving HITECH regulatory landscape, it
is anticipated that, unlike HIPAA, a CE’s privacy notice will
of necessity need to evolve in order to meet new statutory/regulatory requirements.
There are other affirmative duties required of the CE, the example above is but one of several.
Term and Termination Section
Most contracts contain
Term and Termination provisions, which state when the agreement begins, and when/how it ends. General
principles governing the formation and termination of contracts apply, and may vary somewhat from state to
state. In general, a contract becomes enforceable on its effective date. Once a contract becomes effective, it
will remain in effect until validly terminated. Termination may occur in any number of ways, for example, when
a specified time expires, when a specified event occurs, or when the contract is breached.
Entire Agreement Section
The contract will be a
playbook, so to speak, for that part of the relationship between the CE and the BA that involves the
provisions included in the contract, generally related to PHI. There are likely to be other contracts between
the CE and the BA, but this agreement rules the day insofar as PHI goes, and it will trump any provisions in
other contracts between the parties that touch on this subject matter. If you need to make changes to the
contract after it becomes effective, you must do so in writing (i.e. at least if you want the modifications to
be relevant when you need them most).
Governing Law Section
Nobody likes getting sued
(not even lawyers like getting sued, they much rather
initiate suits), but if you are going to get sued then you might as well do it in your
backyard, unless you have a compelling reason to do it in some other jurisdiction and venue. Generally, the
law of the place where a contract will be performed governs the contract. In this section, you get to choose
which state’s law will apply to the contract. Selecting your home state may give you home court advantage, but
the laws of another state may be more favorable to you. If you are not certain whether your state law would be
most advantageous to you, contact your attorney prior to selecting a state.
This section covers
several separate but important principles regarding the contract, and provides guidance for understanding or
interpreting same. It also contemplates that the contract may need to be amended at some point to keep up with
changing rules and regulations. Essentially its a "grab bag" section that contains clauses that don't seem to
fit anywhere else.
Providing for the
contract to be executed in counterparts allows you to enter into the contract without the need for both
parties to be in the same room at the same time to sign the contract. This is particularly useful when the
parties reside in different areas, or are unable to coordinate busy schedules.
Look Inside Our Business
Threshold Questions: Who's a Business Associate?
If you do business with
health care providers then the obvious question is whether or not you are a business associate. The answer to
that question is that "it depends on what you do on
behalf of a CE, and specifically the kind of data that you interact with." In the general
case, the definition of Business Associate means, with respect to a CE, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in §164.501 of this subchapter) in
which the covered entity participates, but other than in the capacity of a member of the workforce of such
covered entity or arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or
disclosure of individually identifiable health
information, including claims processing or administration, data analysis, processing or
administration, utilization review, quality assurance, billing, benefit management, practice management, and
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity,
legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter),
management, administrative, accreditation, or financial services to or for such covered entity, or
to or for an organized health care arrangement in which the covered entity participates,
where the provision of the service involves the
disclosure of individually identifiable health
information from such covered entity or arrangement, or from another business
associate of such covered entity or arrangement, to the person.
In other words, a provider's business universe is literally chock-full of potential business associates. The key
test however, is whether this "person" (or entity) requires the disclosure of "individually
identifiable health information" in order to deliver their product or service to, or on behalf of, the
Business Associate Privacy Rule Compliance?
A BA is not
directly required by HITECH to comply
with the HIPAA Privacy Rule,
except of course as specified within the SR (i.e. there are no “bright lines”
between the two in certain areas). However, a BA is required
to comply with those sections of the PR that are specified in the required contract with its
Entities are likely going to insist that a BA comply with all
appropriate substantive sections of the PR that pertain to the type of services a
on behalf of the CE.
As a practical matter, BAs will be “on the
hook” contractually regarding PR compliance. HITECH Section 13404 strengthens the contractual
arrangement between the parties by mandating, among other things, mutual reciprocal monitoring for a material
breach of the contract.
The bottom line is that the regulatory environment for business
associates has become much more complex.