Time to Refine Your BAA - Don't Follow the Flock!

By Rachel Yount, Associate, Arent Fox LLP
By Jade Kelly, Partner, Arent Fox LLP

Original Publish Date: October 10, 2017

Many health care providers and other covered entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”) have template business associate agreements (“BAA”) that focus purely on HIPAA’s requirements. HIPAA compliance is, of course, essential, but the universe of laws affecting protected health information (“PHI”) is much broader. Covered entities should review their template BAAs and consider expanding their scope to address applicable state breach notification laws as well.

Traditional BAAs

HIPAA requires covered entities to enter into BAAs with their business associates (vendors and other entities that create, receive, maintain, or transmit PHI for the purpose of performing certain functions for or providing services to covered entities). BAAs have several foci: they help ensure that business associates appropriately safeguard PHI, they subscribe permissible uses and disclosures of PHI, and they outline business associates’ responsibilities and liabilities in the event of a HIPAA breach.

State Breach Notification Laws

BAAs generally do not, however, address state breach notification laws that may also apply to PHI and other personal information that business associates handle. This is understandable, as state laws may not require BAAs or any particular language regarding breach notification in any other type of agreement with a business associate. As a result, covered entities and business associates may – wrongly – assume that HIPAA covers all types of reportable breaches. This is an erroneous and potentially costly assumption. For instance, California has two breach notification laws, which can apply even if there is no HIPAA breach:

California Health & Safety Code Section 1280.15: Section 1280.15 requires hospitals and certain other health facilities to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information. Medical information is individually identifiable information, in electronic or physical form, in the possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. Such facilities are required to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the California Department of Public Health and each affected patient no later than 15 business days after the unlawful or unauthorized access, use, or disclosure is detected by the facility.
California Civil Code § 1798.82: Section 1798.82 requires a business to notify the affected individual (and the Attorney General if over 500 individuals are affected) if there was, or is reasonably believed to have been, an unauthorized acquisition of computerized data containing a California resident’s unencrypted personal information. The notification needs to be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Personal information includes: an individual’s first name or first initial and last name in combination with any one or more of the following data elements: social security number; medical information; and health insurance information, among other things.

Unlike HIPAA, neither of these laws contain a breach risk assessment provision whereby the entity can determine that there was no breach if there is a demonstrably low probability that the PHI has been compromised.

Non-HIPAA Breaches

With increasing frequency, we see situations where a business associate has caused an incident that amounts to a reportable breach under state law, but does not necessarily amount to a reportable breach under HIPAA. This typically occurs in two situations:

The information affected by the incident did not constitute PHI, but still amounted to personal information subject to the state’s data breach notification law. For example, patient names and associated social security numbers may have been acquired by an unauthorized third party through a phishing attack on the business associate; or
The information affected was PHI and is reportable under state law, but there was not a reportable breach under HIPAA because there was a low risk of compromise to the PHI. For example, patient names and associated medical information may have been emailed by a business associate to an unauthorized third party, but such third party also happens to be a covered entity, which returns the information and attests that it will not be further used or disclosed.

In these situations, if your BAA is not drafted to cover applicable state data breach notification laws, then your organization could end up high and dry, particularly with respect to prompt breach notification, coverage of breach notification costs, and other indemnification by the business associate.

Recommended Revisions to BAAs

Although state law may not require BAAs, to limit their risk, covered entities are well advised to review their template BAAs to ensure they address both HIPAA and state law. In particular, we suggest focusing on the following provisions:

Protected Information: consider expanding the scope of your BAA to protect all personal information handled by the business associate, not just PHI.
Definition of Breach: modify the definition of “breach” to include breaches under HIPAA and applicable state breach notification laws.
Obligation to Report Breaches or Incidents: include a provision requiring business associates to report breaches under HIPAA and/or state breach notification laws within a specified period of time, so that the covered entity can timely meet its notification obligations under state law and HIPAA.
Broad Indemnification Provisions: broadly draft indemnification provisions to cover costs, expenses, fines, penalties, and other liabilities arising from breaches and violations of HIPAA and applicable state laws caused by the business associate.

Along with this, covered entities should be prepared to educate their business associates (especially those located in other states) regarding any increased compliance expectations as a result of state law.

With data breaches on the rise, an increasing number of which are caused by vendors and other business associates, it is critical that covered entities take all reasonable steps available to protect themselves in the event of a breach. Updating your BAA is one relatively cost effective step that your organization can take to manage risk and mitigate liability.

To learn more about Arent Fox LLP visit www.arentfox.com.