Avoiding Liability for Business Associates’ Breaches: Guidance
This is the second installment in a three-part article series on avoiding liability for breaches by business associates. This article will provide guidance on how to avoid liability for breaches by business associates.
For background on the changes to the business associate relationship in the HITECH Act and the Omnibus Final Rule, see the first installment in this series.
Eliminating Liability Risk for Business Associates’ Breaches
To avoid liability for business associates’ breaches, the business associate agreements must not specify how the business associate will provide the service for or on behalf of the covered entity except in general terms. The agreement must not specify that the covered entity can exercise the right to control the business associate’s behavior even if it does not initially do so.
For example, a contract with a shredding service should say only that the business associate is authorized to destroy the covered entity’s paper records, with language such as “in a manner that preserves confidentiality.” Note the following example:
“Business associate will shred the paper records by picking them up every Friday at 1:00 p.m., putting them into a secure locked bin approved by [name of covered entity or upstream business associate] and transporting them in a secure, locked vehicle approved by [name of covered entity or upstream business associate] to business associate’s secure site and shredding them with a Cummins Allison particle-cut high security commercial paper shredder that meets the latest National Security Agency specifications and Department of Defense standards for secure destruction of paper-based Top Secret, Communications Security, and Sensitive Compartmented Information materials. The shredding must be accomplished within one (1) hour of receipt of the records at the business associate’s site, and business associate must complete the destruction certificate attached to this business associate agreement as Appendix A. Business associate agrees that [name of covered entity or upstream business associate] may audit any and all portions of the shredding operations. Any deviation from these standards must be approved by [name of covered entity or upstream business associate]’s Security Officer.
The language of this agreement strongly suggests that the shredding service was the agent of the covered entity or upstream business associate because of the detailed supervision of the day-to-day shredding activities.
One important action entities should take now to handle this greater liability for the breaches of business associates is to review whether the insurance covers HIPAA liability by business associates. Some malpractice policies, for instance, may have coverage for HIPAA breaches—but only by employees of the practice, not for independent contractors. It is possible to attempt to include an indemnification clause in the business associate agreement in which the business associate would agree to indemnify (reimburse) for any liability incurred as a result of its breach or require the business associate to carry insurance for these breaches.
The third installment of this series will discuss adjustments needed in the business associate relationship, as well as ongoing strategies for adapting to the recent changes.
Jonathan P. Tomes (firstname.lastname@example.org) is a partner at Tomes & Dvorak, Chartered, in Overland Park, KS, president of EMR Legal, Inc., a HIPAA consulting company, and the author of more than 60 books and dozens of articles on medical records law and HIPAA.