We have written about business associates on previous occasions, notably here
. If you want to get grounded in business associate basics we encourage you to peruse the previous links. This article focuses on the business associates as software vendors and the issues presented by this relationship from the perspective of the business associate.
In many case, where business associate software vendors ("Vendors") are dealing with small covered entities then the Vendor is usually driving the relationship. Therefore, from a business associate agreement ("BAA") perspective, this tends to favor the Vendor for a number of reasons that we discuss next.
First, if the covered entity is signing the Vendor's BAA then the "nasty" issue of indemnification for breach does NOT come up for the obvious reason that the Vendor drafted the BAA. Other potentially burdensome issues, such as asking for veto power over the Vendor's subcontractors ("Subs") (now business associates if the Vendor shares PHI with its Subs) likewise do not arise.
However, all that changes if the covered entity ("CE") insists on having the Vendor sign its BAA. Now the Vendor will likely need to deal with not only indemnification but also potentially a host of other burdensome issues it may not have anticipated (e.g. the covered entity asking the Vendor to have, or obtain, cyberinsurance for a significant amount of coverage).
Here's why the coverage will appear to be draconian. Assume that the Vendor experiences a Breach
of 5000 patient records wherein it has to indemnify the CE. At $200 per patient (conservative because the Ponemon Institute
estimates that it costs the healthcare industry over $300 per patient to notify). At the conservative estimate of $200 per patient a 5000 record Breach would cost a cool $1 million dollars
in notification costs alone. With thumb drives and mobile devices now capable of holding millions of records a Breach
of 100K records would be considered small. That would cost the Vendor $20 million dollars in indemnification costs.
In short, anything less that a $10 million policy is likely to be a waste of money. It's simply not nearly enough to cover the costs of even a relatively small breach. Because "cyberinsurance" is a new game in town, the insurers are struggling to develop competitive pricing. So, if you are looking for insurance, it pays to perform a significant amount of due diligence regarding premium prices and coverage.
Of course, the absolute BEST insurance is to encrypt ALL PHI according to the NIST protocols recommended by HHS
. If the Vendor encrypts PHI as specified then there can be no Breach
by definition because the PHI has been rendered unusable, unreadable, or indecipherable
. The translation of which is that the bad guys can't do anything with it. That is a powerful argument to present to a CE as to why (perhaps) a much smaller amount of cyberinsurance is required.