Not All BAAs are Created Equal

Why you need to understand what you're signing, and always read the fine print

Sometimes business persons sign contracts on request with little review. Whether that is because they are pressed for time, or they implicitly trust the other party, or they don't feel comfortable with legalese, it can be easy to just initial here and sign there.  However, that attitude invites problems later on down the line. There's a reason why they say you should always read the fine print.

HIPAA violations can lead to large fines, even for small practices.  And HIPAA  includes regulations regarding the relationship between medical practices, and Business Associates. The key point is that all Business Associates must protect patient information with the same safeguards required of the practice itself. However, whether through intent or through ignorance, business associates can either fail to implement these safeguards, or misunderstand the extent of what is required of them. This can often be reflected in the Business Associate Agreement (BAA).

If a BAA is not reviewed before being signed and is lacking key requirements, it could have legal repercussions and a significant negative financial impact if the practice be audited, or a HIPAA claim is made against the Practice. To avoid signing an insufficient BAA, practices can obtain professional legal counsel to determine that the executed Business Associate Agreement meets the Department of Health and Human Services’ (HHS) requirements and, that it also includes all the legally required elements of a valid HIPAA contract.

Real World Example

Avoiding this critical step can leave a practice vulnerable. For instance, the following example, which was agreed to by a practice. Below is a clause from an insufficient Business Associate Agreement from a national copier company:

“Neither <company> nor any affiliate has an obligation under the Addendum to erase or overwrite Data prior to or upon Customer’s return of the Equipment to <company> or any leasing company or other disposition of the Equipment. Customer is solely responsible for determining and implementing the appropriate method of erasing or overwriting Data….Accordingly, Customer shall indemnify and hold <company> and its parent company, affiliates, directors, officers, employees and agents harmless from and against any and all costs, liabilities, claims, damages, judgments or fees (including reasonable attorney’s fees) arising or related to Customer’s failure to erase, overwrite or destroy the Data.”

This clause specifically releases the vendor from any obligation to safeguard or destroy data on equipment leased to the practice.  By signing that BAA, the practice assumed all liability for data stored on leased equipment once the equipment was returned to the Business Associate.  This is an issue because the practice might be relying on the Business Associate to provide data destruction services, a commonly provided service by printer/copier vendors of this scale. However, as you can see, the contract contains language that specifically disclaims any responsibility for deleting data from returned devices, removing the vendor's liability.

Why is this a problem? HIPAA specifications require that there are measures in place to securely remove and destroy patient data, something that could fail to happen in the case above. The practice used in the example should consider requesting an amendment from the Business Associate. Another option would be replacing the vendor with a company that provides appropriate HIPAA data security assurances.

Your practice is probably putting its best efforts into security so you can protect private patient data. So don't leave yourself open to mistakes made by those you contract with. Like all good contracts, a good BAA will protect both partners. So don't fail to implement them--that's a HIPAA violation too. And always read the fine print.