This section of the contract identifies the following:1) the parties; 2) the parties' principal place of business; and 3) the specific type of business that the parties are engaged in. It also provides a brief summary as to why the parties are entering into a binding agreement. In short, it sets the stage for the remainder of the contract.
Wherever possible, it is usually best to define terms of art in a definitions section so that parties are clear as to their meaning, or at a minimum, may question a particular definition. For the most part, this type of contract should define terms of art according to their regulatory definition, and therefore, there should be little disagreement between the parties as to what a term means.
It is anticipated, as between any two parties, that there will be additional terms that should be specified in this section. If there is a statutory or regulatory definition that is on point, then clearly that is the definition to be used. Where a term of art is not defined in a statute or regulation then it is preferable, where available, to use an authoritative definition that is widely accepted in your particular area of the healthcare industry. Barring the availability of a statutory, regulatory or industry definition, you should provide clear and succinct definitions for terms that are used in multiple contractual clauses or sections, both for consistency and for ease of subsequent interpretation by a government agency or a court of law.
Obligations and Activities of Business Associate Section
The following two sections comprise the substantive aspects of the BA's duties. They identify the covenants and conditions that pertain to the BA. These covenants and conditions are, for the most part, based on statutory and/or regulatory requirements, but not all. The contract will have to make some assumptions as to what may be “reasonable” where the respective statutes and regulations do not provide a fixed requirement. Reasonableness is in the eye of the beholder, and its precise definition will ultimately be determined by a court of law, therefore, special attention should be paid to what is provided for therein.
Under HITECH Section 13401, BAs are now directly required by statute, and by the corresponding regulations, to comply with the HIPAA Security Rule ("SR"). However, CEs should consider making compliance with the HIPAA Security Rule a contractual requirement as well, for the following reasons: 1) it allows the CE to sue "on the contract" if a BA violates the SR; and 2) it deals contractually with the issue of international BAs, who are not subject to U.S. law.
Section 13402(b) of the HITECH Act mandates that a BA notify a CE if there is a breach of unsecured PHI. According to recent (April 2009) HHS guidance, unsecured PHI is protected health information that is not secured in a manner that renders it “unusable, unreadable or indecipherable.” For all practical purposes this means PHI that has not been encrypted as per technologies that HHS indicates will produce the desired result.
There are additional HITECH specific requirements that must be included in the contract, including but not limited to: 1) Breach Notification requirements; and 2) Accounting Disclosure requirements. Furthermore, the contract should specify the "manner and format" in which this information should be provided by the BA to the CE.
Permitted Uses and Disclosures of Business Associate Section
This section enumerates the permitted uses and disclosures of PHI that a BA is authorized to perform under the contract.The contract clauses contained here are, for the most part, common sense provisions that state that a BA is free to use or disclose PHI in a manner necessary to perform its services (the term “services” is being used here in its broadest sense and encompasses a “product” as well). Such use of PHI is permitted in the prescribed manner as long as the BA does not violate: 1) the contract; 2) the Privacy Rule; and 3) the relevant provisions of the HITECH Act.
This section also usually contains a contract clause that pertains to a BA that provides Data Aggregation Services (“DAS”) on behalf of one or more CEs. Such services are allowed under the regulations but only if the DAS pertains to Health Care Operations (“HCO”). See 45 CFR §164.504(e)(2)(i)(B). In short, DAS may be provided by a BA as long as these services are restricted to HCO. The health care community is becoming increasingly interested in DAS because these services have the potential of providing information that can simultaneously reduce costs and improve the delivery of care.
Clearly, given the increased demand, there are a number of BAs (e.g. software vendors) that are eager to fill this market need. However, caveat emptor applies in this case, as it does with any BA relationship (i.e. from the perspective of the CE). The BA must ensure that DAS are provided in a manner that does not expose PHI to CEs that should not be seeing it. It is a non-trivial security challenge to do this when the entire objective of DAS is to collect data from multiple CEs and then disseminate that data in a way that provides value to all participating entities. It is the CE that must perform the required due diligence to ensure that a BA has the processes and technologies in place to deliver on the promise.
Obligations and Activities of Covered Entity Section
It is clear, once you review one of these contracts (from the size of the “obligations” section of each respective entity), that these contracts are, by definition, CE centric. This is a reflection of the fact that it is ultimately the CE that “owns” the relationship with the patient (i.e. from the perspective of the applicable laws and regulations and as a practical matter), despite the relative negotiating strengths between any specific CE/BA pair. It is certainly not (usually) an attempt on the part of the drafters to overly burden the BA with additional covenants and conditions.
Contract clauses in this section state that the CE has a continuing affirmative duty to notify the BA of provisions and limitations of its privacy notice and practices to the extent that said provisions and limitations may have an impact on the uses and disclosures a BA is permitted to make under the contract, and under applicable law. See 45 CFR §164.520.
As a practical matter, this means that a CE should provide its privacy notice to all its BAs and, where appropriate, highlight specific provisions and limitations that may impact a particular BA. Given the quickly evolving HITECH regulatory landscape, it is anticipated that, unlike HIPAA, a CE’s privacy notice will of necessity need to evolve in order to meet new statutory/regulatory requirements.
There are other affirmative duties required of the CE, the example above is but one of several.
Term and Termination Section
Most contracts contain Term and Termination provisions, which state when the agreement begins, and when/how it ends. General principles governing the formation and termination of contracts apply, and may vary somewhat from state to state. In general, a contract becomes enforceable on its effective date. Once a contract becomes effective, it will remain in effect until validly terminated. Termination may occur in any number of ways, for example, when a specified time expires, when a specified event occurs, or when the contract is breached.
Entire Agreement Section
The contract will be a playbook, so to speak, for that part of the relationship between the CE and the BA that involves the provisions included in the contract, generally related to PHI. There are likely to be other contracts between the CE and the BA, but this agreement rules the day insofar as PHI goes, and it will trump any provisions in other contracts between the parties that touch on this subject matter. If you need to make changes to the contract after it becomes effective, you must do so in writing (i.e. at least if you want the modifications to be relevant when you need them most).
Governing Law Section
Nobody likes getting sued (not even lawyers like getting sued, they much rather initiate suits), but if you are going to get sued then you might as well do it in your backyard, unless you have a compelling reason to do it in some other jurisdiction and venue. Generally, the law of the place where a contract will be performed governs the contract. In this section, you get to choose which state’s law will apply to the contract. Selecting your home state may give you home court advantage, but the laws of another state may be more favorable to you. If you are not certain whether your state law would be most advantageous to you, contact your attorney prior to selecting a state.
This section covers several separate but important principles regarding the contract, and provides guidance for understanding or interpreting same. It also contemplates that the contract may need to be amended at some point to keep up with changing rules and regulations. Essentially its a "grab bag" section that contains clauses that don't seem to fit anywhere else.
Providing for the contract to be executed in counterparts allows you to enter into the contract without the need for both parties to be in the same room at the same time to sign the contract. This is particularly useful when the parties reside in different areas, or are unable to coordinate busy schedules.
Look Inside Our Business Associate Contract
Threshold Questions: Who's a Business Associate?
If you do business with health care providers then the obvious question is whether or not you are a business associate. The answer to that question is that "it depends on what you do on behalf of a CE, and specifically the kind of data that you interact with." In the general case, the definition of Business Associate means, with respect to a CE, a person who:
(i) On behalf of such covered entity or of an organized health care arrangement (as defined in §164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of:
(A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or
(B) Any other function or activity regulated by this subchapter; or
(ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
In other words, a provider's business universe is literally chock-full of potential business associates. The key test however, is whether this "person" (or entity) requires the disclosure of "individually identifiable health information" in order to deliver their product or service to, or on behalf of, the CE?
Business Associate Privacy Rule Compliance?
A BA is not directly required by HITECH to comply with the HIPAA Privacy Rule, except of course as specified within the SR (i.e. there are no “bright lines” between the two in certain areas). However, a BA is required to comply with those sections of the PR that are specified in the required contract with its respective CE.
Covered Entities are likely going to insist that a BA comply with all appropriate substantive sections of the PR that pertain to the type of services a BA provides on behalf of the CE. As a practical matter, BAs will be “on the hook” contractually regarding PR compliance. HITECH Section 13404 strengthens the contractual arrangement between the parties by mandating, among other things, mutual reciprocal monitoring for a material breach of the contract.
The bottom line is that the regulatory environment for business associates has become much more complex.