Header graphic for print
Privacy Compliance & Data Security Information on Data Breach Prevention and the Appropriate Response

A Business Associate Agreement Dilemma: To Indemnify or Not to Indemnify – Ten Considerations

Posted in HIPAA

The below originally appeared on our HIPAA, HITECH & HIT blog on October 1.  It is authored by our partner, Michael Kline.  You can contact Michael at mkline@foxrothschild.com.

 

A party (Party) to a HIPAA Business Associate Agreement (BAA) or Subcontractor Agreement (SCA), whether a covered entity (CE), business associate (BA) or  subcontractor (SC), may struggle with the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or SCA.  On January 25, 2013, the U.S. Department of Health and Human Services  published “Sample Business Associate Agreement Provisions,” which were silent on the matter of indemnification.  Nonetheless, inclusion of Provisions is often a major question for Parties to BAAs and SCAs.

There are a number of common themes that, at a minimum, may determine in a specific case for a Party whether the BAA or SCA should include such a Provision.  Because a breach of HIPAA, especially in the areas of privacy and security, can result in enormous financial liability, humiliating publicity and large monetary penalties, appropriate care should be given regarding such Provisions. In addition to the items listed below, the relative bargaining power of the Parties may be a significant factor in this matter.  Below are ten items for consideration.

1.         A CE or BAA may assert that it has a “standard form” of BAA that includes a Provision running solely for such Party’s benefit.  The Counterparty may legitimately push back and demand that such Provision be removed, or at least that the BAA be revised to include a reciprocal Provision for its benefit.  (A Party may also ask its Counterparty whether the Counterparty has ever previously executed a BAA or SCA that does not contain such a Provision.)

2.         Before a Party agrees to any Provision whereby it is indemnifying the Counterparty, it should find out from its own liability insurance carrier whether such a Provision is permitted under such Party’s insurance policy or if agreeing to such a Provision will have any adverse impact on its insurance coverage.

3.         If a Provision is to be included (and perhaps as a general rule), there should be a negation of potential third party beneficiary rights under the BAA or SCA.  For example, HIPAA specifically excludes individual private rights of action for a breach of HIPAA – a Party does not want to run a risk of creating unintentionally a separate contractual private right of action in favor of a third party under a Provision.

4.         A Party should endeavor to limit its own maximum dollar amount exposure for indemnification.  For this reason alone, a Provision should be viewed as not standard.

5.         A Party should endeavor to limit the time period for indemnification under the Provision.

6.         If the BAA or SCA includes a Provision, a Party may desire to limit its monetary liability for any and all breaches under the BAA or SCA solely to the indemnification obligations under the Provision.

7.         A Party should consider expressly limiting its monetary liability under the Provisions to events directly and proximately caused by a material breach of the BAA and only to the extent that the material breach of such Party caused damages to the Counterparty.

8.         Where a BA or SC is a lawyer or law firm that is counsel (or another licensed person who has professional and ethical obligations) to a Counterparty, consider whether there are professional responsibilities of attorneys (or such other licensed person) respecting the negotiation of the Provision, including notifying the Counterparty that it should consider retaining separate counsel to advise it on the Provision (and other terms).

9.         If a regulatory authority exacts a monetary penalty from a Party in connection with a HIPAA breach or such Party is found to have been involved in a HIPAA breach, the right to indemnification of such Party by the Counterparty under a Provision may be limited or not enforceable at all as a matter of public policy.

10.       If a Provision is to be included, attention should be given to its impact on corollary matters, such as limitation on recovery of consequential, special, punitive and other damages and attorneys’ fees and legal expenses.

In light of the above and other potential considerations, careful thought should be given as to whether or not a Provision is appropriate in a specific case and merits what could become a serious and potentially irresolvable stumbling block to the underlying business relationship.  In extreme cases, the matter of indemnification and its complexities and consequences could even result in termination of the business relationship between the Parties.