Stop! Don’t Sign that Business Associate Contract!

As readers of this blog (should) know, the HITECH provisions of the stimulus bill include a very significant expansion of regulatory authority over business associates. They also include a very significant increase in penalties for HIPAA violations. The upshot of these changes is that many organizations which were not previously subject to HIPAA penalties will (relatively) soon be exposed to new, important liability risks. This changes the risk calculus for many organizations and individuals which may want to reconsider whether they are, or want to be, business associates.

Previoiusly, for many organizations and individuals in many business relationships with Covered Entities there has been little or no downside to signing a business associate contract. In many cases – I’ve dealt with a great many of them – Covered Entity staff handling contracts for IT, accounting, legal and various kinds of consulting services, have simply assumed that a Business Associate Contract is necessary. This assumption may or may not have been true, but was put forward without analysis, based upon a misunderstanding of the law, out of an excess of caution, or “because our lawyer requires it.” (Of course, lawyers themselves have been guilty of pushing this kind of assumption.)

For the purported Business Associate in this situation the Business Associate Contract has therefore been an obstacle to the deal, but generally a minor one. The Business Associate would not be exposed to regulatory penalties for violation of the contract, and where the Business Associate Contract’s terms don’t include significant penalties for violation – often the case, especially when the Covered Entity has gone with a simple form – the Business Associate’s risk for violation is pretty much limited to termination of the contract. As legal risks go, this isn’t a big one. So, many organizations have been willing to sign off on Business Associate Contracts as a condition to closing a deal or relationship with a Covered Entity, even if they really aren’t acting as a Business Associate, or could provide appropriate services without doing. so. I know of quite a few IT, legal, accounting and consulting services companies where this is the case.

If you’re in that position you probably want to rethink it. As of next February 17, Business Associates will be directly regulated by Health and Human Services, directly subject to audit, and directly exposed to penalties for Security Rule violations, violations of HITECH provisions, and violations of their Business Associate Contracts. And these penalties will be potentially much greater – are a lot bigger than they used to be; think hundreds of thousands or even millions of dollars, if you violate enough provisions and do it with “willful neglect.”

Now, just signing a Business Associate Contract shouldn’t be enough to make you a Business Associate – though it could certainly be taken as evidence you and your trading partner intend for you to be. I would take the position that even if my client signed a document accepting Business Associate status, it really isn’t unless it’s done something involving Protected Health Information on behalf of a Covered Entity. But that’s a legal argument, and if I have to make it my client will already be under investigation and at risk of penalties. I’d prefer not to go there, myself.

So, if you’re a Business Associate, or think you might be, or never really thought about it but signed off on a contract to make a deal happen, you probably want to consider the services you provide, whether you can or want to provide them in a different way if they currently involve Protected Health Information, and maybe whether the existing compensation reflects your soon-to-increase risk.

Me? As a lawyer and sometimes Business Associate, I certainly will be looking at this.

Related Posts


More HIPAA/HITECH and Joint IT Environments: Multiple Account Access

I’ve had some interesting follow-up from my previous posting about HIPAA/HITECH and cloud computing. One question was about my statement that users authorized by one Covered Entity whose Protected Health Information and applications are hosted in a joint IT environment shouldn’t have access to the Protected Health Information and applications of other Covered Entities hosted […]

Read story

Preliminary Thoughts on the HITECH/HIPAA NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act

The Notice of Proposed Rule Making (“NPRM”) for the proposed new regulations amending the HIPAA regulations as required by HITECH have just been informally published here. The formal publication date in the Federal Register is probably going to be July 14, 2010. This is a brief heads-up on a few issues the NPRM seems to […]

Read story