The voice for the medical software reseller community.

Most of us have encountered the HIPAA Business Associate Agreements (BAAs) originally required by the Privacy Rule.  You should be aware that with HIPAA Security, the specifications for the agreements have changed, and your clients need to update these agreements by 4/20/2005 to be in compliance.  There are a number of issues for the VAR with these agreements:

§           Whether to offer your own contract or to sign your client’s contract.

§           How to negotiate the agreements.

§           Understanding your liabilities.

§           What steps are necessary to comply.

These important issues will be addressed after a brief history of the evolution of this contract.

History of the Business Associate Agreement:

The HIPAA Privacy rule, published in December 2000, established the requirement that covered entities obligate vendors who are exposed to Protected Health Information (PHI) to a specific set of provisions in a BAA.  Any VAR who is exposed to PHI (through user training with live data, dial-in support and troubleshooting, data conversions, EDI support, database repair) is a Business Associate.  The original specifications of the BAA include 11 specific provisions.  There is no universal “standard” contract, and in fact, each contract needs to be customized to the specific situation.  Since April 14 of 2003, all covered entities have been required to have a BAA in place with their VARs.

In February 2003, the final HIPAA Security Rule was issued with a compliance deadline of April 20, 2005.  The Security Rule adjusted the specifications for the BAA, which increase the compliance obligations of VARs.  To be in compliance, all of your clients will need to update any agreements that they have in place.

Required Provisions in the Agreement and Negotiation:

The original specifications of the BAA, include 11 essential provisions:

1. A custom clause must be provided that establish the permitted uses and disclosures of PHI.  For a VAR, this clause might be  “Business associate is permitted use and disclose protected health information to provide implementation and support services for computer software, including data conversion, user training, troubleshooting and technical support, file repair, EDI support, and other related activities.”
2. Prohibits the use or disclosure of PHI other than as permitted above.
3. The original specification mandated that the business associate implement “appropriate safeguards” to prevent the use or disclosure of PHI other than allowed.
4. The Business Associate must report to the covered entity any inappropriate disclosures of PHI.
5. The Business Associate must bind its agents and subcontractors by the same rules as are contained in the Business Associate agreement.
6. The Business Associate must provide assistance to the client as required to provide the patient access to his or her medical records.  (In most cases, this provision is not applicable to VARs.  For business associates such as billing services, this would be applicable.)
7. The Business Associate must amend patient medical records as appropriate.  (Again, this provision is not applicable for most VARs.)
8. The Business Associate must inform the patient of certain disclosures when requested.  (Usually not applicable for VARs.)
9. The Business Associate must allow an audit of compliance with the Business Associate agreement by the U.S. Secretary of HHS if requested.
10. The Business Associate must agree to destroy or return any PHI to client upon contract termination, or if this is not possible, must limit any future use of the  PHI to the reason that destruction is not possible.
11. The Business Associate must agree to allow termination of the contract if the Business Associate is found to be in violation of the provisions of the agreement.

The Security rule, effective 4/20/2005 essentially adds two new provisions:

1. The third specification above is expanded to be:  the business associate must implement “physical, technical, and administrative safeguards” to protect the “confidentiality, integrity, and availability” of electronic PHI that it creates, receives, maintains, or transmits on behalf of the covered entity.
2. The Business Associate must report to the covered entity any “security incident” of which it becomes aware.  A “security incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

If you choose to sign a client’s agreement, you should be aware of the what the law requires in the contract so that you don’t take on unnecessary liability.  Attorneys have included a wide variety of “extra” requirements when writing these agreements for their hospital or medical practice clients.  Real life examples of these “extras” include:

§           Guarantees that EDI transactions be compliant with HIPAA regulations, along with the requirement that the VAR reimburse the client for any financial penalties that the client may incur for non-compliance.

§           that VARs indemnify the medical practice for any costs incurred as a result of the VAR’s violations of the agreement.

If you choose to sign an agreement your client offers, you should absolutely read the agreement and compare it to the requirements listed above.  When you understand what is required, you can negotiate to delete any provisions which are not mandated by the HIPAA rules. Your business is hard enough without the extra risks some VARs have taken on by signing one-sided agreements.

Should the VAR offer their own Agreement?

VARs are split on whether to offer their own business associate agreement or whether to sign a client’s agreement.  In fact VARs who wait for the client to ask have found that many of their clients have never asked.  These clients non-compliant with the HIPAA regulations, and it is true that this non-compliance is the problem of the medical practice, not the VAR.

Still, there are advantages to the VAR of having their own Business Associate agreement:

§           This is a customer service, particularly valuable for small medical practices, to reduce their effort in compliance.

§           Drafting your own agreement will allow terms favorable to you, and which omit any “extra requirements” as described above. 

§           In sales situations, when asked for a BAA,  having a standard agreement and a nice story to go along with it will demonstrate your sophistication and may provide you a sales advantage.

Marketing considerations are also important.  VARs need to balance the advantages of offering a standard agreement with the need to sell new systems.  For example, some VARs include Business Associate language in their standard sales agreement.  Longer and more complex contracts can often increase the time necessary for a sale, especially when the complex sales agreement causes the doctor to get the opinion of their attorney. 

There are multiple approaches to address this consideration.  For example, one VAR has a standard agreement, but in new sales situation presents it only when asked.  Another VAR uses a simplified format of the Business Associate agreement in their standard sales contract.

Compliance with the Agreement:

Virtually all VARS have signed Business Associate agreements with at least some clients.  And, many VARs have admitted that they have done virtually nothing to comply with these agreements.  Under the HIPAA regulations, the VAR’s primary liability when signing a business associate agreement is simply that the business relationship can be terminated by the client if you are found to be non-compliant.  There are no monetary penalties or criminal penalties specified under the HIPAA regulations for non-compliant business associates.

However, there are some legal theories under which the business associate requirements may amount to a “standard of care” which an attorney could use in civil litigation should a VAR’s behavior result in some egregious privacy violation.  Consequently, VARs ought to take these contractual obligations seriously should consider a compliance process similar to your customers’ HIPAA compliance process:

1. Conduct your own Risk Assessment – assess the disclosure risks for your organization.
2. Identify appropriate “administrative, physical, and technical” safeguards.
3. Implement these safeguards, and create your own Policy and Procedure Manual which documents these safeguards in writing.

Please note that one size does not fit all.  For example, the VAR who operates out of their house as a one-person operation is different than the VAR who uses a number of sub-contractors is different from the VAR with 25 people, offices in two cities and offers an ASP solution.

Suggested items for the VAR Policy and Procedure Manual:

The specifics of the VARs compliance program will vary with the size, technical capabilities, and scope of service the VAR offers.  For VARs who have employees, here are some suggested items for your Policy and Procedure manual:

1. Security responsibility should be assigned to a specific individual.
2. Obligations of employees to maintain confidentiality of all customer PHI are spelled out in detail.
3. Describes safeguards to protect customer modem phone numbers, sign-in user IDs and passwords.
4. Describes a client on-line support policy which uses a HIPAA-compliant, secure fashion for remote system access (e.g. if connection is made via the internet, encryption should be used; passwords should not be sent “in the clear”; any files transferred should be encrypted.).
5. Prohibits the use of real patient data for sales demonstrations.
6. Establishes device and media controls, including data destruction policies for any client data on the VARs system.
7. Establishes procedures for internal reporting of violations and/or security incidents, and subsequent reporting to customer of any inappropriate disclosures.
8. Establishes sanctions for employee violations of procedures.
9. Includes an e-mail policy prohibiting the use of PHI in standard, insecure e-mail.
10. Mandates a business associate-like agreement with subcontractors, such as data conversion contractors.
11. Requires appropriate firewalls, virus protection, system backup, off-site storage for your internal network.
12. Requires employees to sign off that they have read and understand these policies.

Conclusion:

In conclusion, VARs should realize that the specifications of the Business Associate agreement have changed and that all existing agreements must be upgraded for compliance.  This new agreement expands the obligations of the VAR.  If you have not already, you should consider offering a standard business associate agreement for your clients.  Finally, especially if you have employees, you should have written policies and procedures to protect your business by clearly defining your compliance activities.

VARs who are interested in a free educational “Webinar” on compliance with the business associate agreement, or who would like a sample business associate agreement compliant with the new specifications, should e-mail Gary Pritts at gpritts@eagleconsultingpartners.com

Gary Pritts is not affiliated with InvestMed; he is a healthcare, business and information systems consultant with 25 years of experience.  To contact Gary with questions about this article or HIPAA in general, visit his website at:  www.eagleconsultingpartners.com