Comment HIPAA Business Associate Agreement with airSlate SignNow

Countersign hipaa business associate agreement

hi everyone my name is Lauren Ramos I am an associate attorney at McGuire woods and we wanted to thank you all for joining us today and we're going to go ahead and get started with the webinar I'm also joined by my colleague Edwin Smith who is also an attorney in the health care department at McGuire woods and we are presenting to you today a presentation on HIPAA business associate agreements so that's where we'll spend the bulk of our time today but we are going to start and end with a little more general information just about business associates what's required if business associates kind of how they are now accountable under HIPAA to hopefully give some context around what business associate agreements really mean and what's required there I know that we have the QA feature enabled so please feel free to shoot your questions over we will try to answer them in real time and if we're not able to we will we'll get a report and we'll certainly follow up with you after the webinar to respond to any questions that we don't get to as we're actually presenting um so I am going to go ahead and kick it off um and we're going to start out with what is a business associate and so as most of you probably know we've had HIPAA around since 1996 it's been around for a long time and then we have the high tech act it's that's been in place about five years now they came in and made some changes to the HIPAA regulations one of the big changes that was made was to change the definition of a business associate and now business associates are actually directly liable under HIPAA and OCR has direct authority over business associate it's to monitor they're compliant to enforce the HIPAA requirements against them and to enforce penalties if PR feels that a business associate has violated HIPAA and that actually informs now some of the negotiations of business associate agreements that we'll talk about later because that direct liability can take some of the pressure off covered entities to really monitor their business associates um and bear the risk of using business associates and disclosing protected health information to them um so there's a two part definition of what is a business associate under HIPAA so the first thing is that you have a covered entity involved which which may seem obvious but we get all kinds of things you'd be surprised so a person who on behalf of a covered entity creates for Speed maintained or transmitted phi4 a healthcare related function or activity regulated by HIPAA you can see some examples here claims processing Quality Assurance benefit management so that is something that is you know directly related to the healthcare of the covered entity and just to back up a little bit a covered entity would be a provider or a health plan or a clearinghouse so if you have that relationship and ph i is disclosed or the business associate create ph i on behalf of the covered entity or a business associate they can also be providers of professional services so for example we and the choir woods are in some instances a business associate to our covered entity clients because we in some cases need to review ph i in order to provide legal advice and to our clients related to their some issue that they had come up or maybe a HIPPA breach and this can also include the covered entities accountants accreditation services they're auditing anything like that where the provider of professional services needs to access thi or may even create pH I on there we have a business associate does not include members of the covered entities of workforce and this is an important distinction because workforce is not necessarily just formal w-2 employees of a covered entity the definition of workforce is much broader than that and it's basically anyone who is under the direct control of the covered entity and performing their duties so sometimes you have that relationship without necessarily being an actual employee of an entity and in that case the workforce member or entity that's considered a part of the covered entities workforce does not constitute a business associate you don't need a business associate agreement that workforce member is just expected to follow the covered entities policies and procedures and all of their protocols and in the covered in India is responsible for training those people and basically takes on all of the liability and the requirements with respect to that person or entity as a member of their workforce and they are not a business associate in that case so we get we get confusion and in these cases and then the other one that that gets a little bit confusing another think we'll get to an issue slides is sometimes just because first pH I involved or being disclosed it does not mean that there is a business associate relationship you still need a permitted reason to disclose phi2 a business associate under HIPAA so calling someone a business associate and putting a BIA in place do not necessarily mean that you're in compliance with HIPAA if there's not permitted reason to be sharing your pH I with that business associate or with that entity um so we get a lot of real-world kind of guidance on this from OCR who are business associates and who aren't and so this was an interesting example a couple years ago there's a lot of debate for many years over whether as cloud services have grown so much and the use of them you know we've seen a lot of confusion and there's a lot of debate about whether they should be considered business associates because you know realistically they're not really doing anything with pH IU as a covered entity put your pH I in the cloud they just provide the server for you to store it there so there is you know an argument there that they should not be considered business associates that have responsibility with respect to that pH I OCR has has come out taking a different position and as you can see then they confirmed that they are cloud service providers they have duties and obligations under HIPAA as do the covered entities to use cloud service providers to store their pH I or to transmit pH I to share pH I may be with another covered MIDI or with clients or whatever it might be you do need to have a BA in play so you have to treat them exactly the same as you would any other business associate so this is just a good example of how far-reaching we're getting now with business associates and in that definition so the on this final rule of the high tech act that expanded all of this to include direct liability for business associates that we estimate that each new or significantly modified contract between a business associate of subcontractors will require one hour of the lawyer's time and cost of 84 dollars and so I'm sure all of you are giggling a little bit because none of us know any lawyers that only charge 84 dollars an hour so we just get we've gotten a lot from OCR as far as this won't really make a big difference for businesses they should have been doing some of these things along there should be be a A's in place whatever the case may be and we find out that actually it's not just about modifying a contract behave now have to directly comply with many many provisions of HIPAA and so these next few slides just kind of walk through those what is actually required of a BA a you have to comply with all of these regulations that are listed here they're subject to investigation there's a PEC two audits they have to report tocr they have to provide compliance reports they have to open up their books and records to OCR not just to monitor their own compliance but to investigate the compliance of the covered entity that's involved in the relationship they may have penalties we'll talk a little bit later about some specific examples where business associates did have penalties imposed on them they have to be very careful with how they treat their employees and their workforce with respect to pH I and enforcing HIPAA compliant and so you can see all these requirements have to comply with all of the security role requirement so business associates need to do I have a security role risk assessment that is not optional you have to put your safeguards your security safeguards in place you have to address any vulnerabilities that you identify and have strict security protocols in place that protect the pH I that is maintained or created or received by the business associate you can see all of these examples here as we kind of go through this slide many many provisions to business associates now are directly liable to to comply with so so the cost in the liability actually did increase fairly drastically on and the things we would look for if we are advising a business associate on complying with all of these requirements that they have to do is to put into place privacy and security policies and procedures this is something that we do on a regular basis through our clients and it's very important to tailor them to the specific operations of your entity or of the business associate you need to put in security policies which are actually even more specific to the entity because the security role clearly says that you can tailor your security safeguard to the size and complexity of your organization and then to have actual comprehensive compliant security policies you need to address things like your your specific mobile devices that you that your entity users and your employees used your specific all of your specific computers workstations what is your physical environment like and how do you protect that all of these kinds of things so that is even more specific to your entity and having sort of stock form privacy and security policies and procedures on the Shelf that you never really paid attention to or customized for your entity will not fly if you end up having a breach or having an audit so that's a really important thing to spend time on on the front end so that you don't get caught on the back end for not complying one of the biggest things that we tell all of our clients is just to use encryption it's not technically required by HIPAA but it's so standard now and it's pretty low hanging fruit and if your ph eye is encrypted in a manner that's compliant with you know most of the standard security standards out there then most likely it's going to be considered secured pH I and even if it is accessed improperly you will not have a breach because the breach requires unauthorized use or access of unsecured pH I so encryption helps you achieve security compliance and it also can help you avoid having an actual reportable HIPPA breach should something go wrong on so we have some more just kind of guidelines here and that you all can see and we won't go through every one of these but you want to make sure that you have all your breach policies in place if you have an incident you want to always be referring as a business associate always be referring back to your business associate agreements for what you need to do to be in compliance with those because as we'll talk about you can vary a lot from the actual HIPAA requirements a lot of bas add a lot of additional provisions a lot of specific timing requirements that aren't necessarily under HIPAA you want to be sure you're really keeping tabs on what your requirements are there in addition to just under the regulation training employees and documenting all of these things all of your compliance efforts doing self monitoring auditing again if you just put some foreign policies into place and put them on the shelf and you never revisit you never update your security risk assessment anything like that you know you're you're not going to fare well with our CRS it comes down to that you want to focus on the high risk areas so these are things that we see coming up over and over and over again in the enforcement actions settlements that OCR publishes on to the public so many lost or stolen mobile devices that were not adequately secured but did either half pH I or could access pH I through the mobile devices on people like to talk about their high profile patient um and sometimes we'll see a breach where somebody you know a covered entity or physician or one of their contractors will mention somebody because they're high profile and that they receive X treatment you know and that's an improper disclosure and disposing of pH I there are strict rules you need to follow to make sure that pH is properly destroyed and you absolutely cannot just throw it in the trashcan or take a bunch of boxes to the dumpster and there have actually been settlement actions involving those kinds of activities as well follow it promptly if you find any problem so again just the continuous monitoring auditing if someone alerts you to a problem address it at that time and make sure that you create an environment where your employees your staff your workforce feel very comfortable raising concerns about HIPAA related issues or bringing up potential breaches without their necessarily being repercussions and because the liability in the risk is just too great for an organization to have their employees uncomfortable with that so that's kind of an introduction to business associates what is business associate what do you have to comply with how do you comply and now we'll get into slowed down a little bit and get more into the actual business associate agreements so couple high-level thoughts here a baa is required between a covered entity and each business associate agreement so there should be in each business associate sorry on there should be a separate contract with each business associate and if any of them are the fact that you have ten bas in place but you're missing number eleven that you really should have that so you're still out of compliance that's still a problem in famous business associates and their subcontractors so hip explicitly says that if you are business associate and you push down some of your responsibilities to a covered entity to a subcontractor they are actually also considered at that point business associates under HIPPA if they receive pH I and you also have to put a business associate agreement in place at that level and that goes on and on and on as long as the trail of pH is continuing on there needs to be business associate agreement in place at each level that being said business associates have liability even if they don't have a BA you can't say well a covered entity number made me enter into a baa so I don't have to worry about any of this stuff and I don't have to follow the HIPAA regulations and protect the pH I and that is explicitly address in the Federal Register when the new regulations came out in 2013 if you meet the definition of a business associate you have to comply so when you need to be a this is a tricky question that comes up for us a lot anytime a covered entity discloses phi2 a business associate or like I said if the business associate is creating pH I on behalf of the covered entity for some reason or just maintaining it like a cloud service provider that's considered a disclosure and you need a BA a in place it must be in place before pH is disclosed so backdating a BA a is not encouraged you want to make sure that BA a is in place that as a covered entity and I guess they should take a step back to say this liability is really on a covered entity to make sure its business associate agreements are in place the covered entity will be the one liable to OCR if it's discovered that they don't have one and so it's not the business associates responsibility having a BA in place like I said does not create compliance if there's not a permitted reason to disclose the PHA so you can't just go to your neighbor and disclose have them sign a baa and then tell them say you're a physician and then tell them about all of your patients you do not have a reason to dispose at pH I that is permitted under HIPAA and so putting a BA in place doesn't help you this comes up most commonly in diligence with transactions I would say because so often the buyer wants to see pH I for some reason as part of diligence or they want to have their consultant looking at things that diligence that involve pH I and there is a transaction exception under HIPAA that allows that under health care operations if you meet certain requirements and I would say mmm the majority probably of transactions at least that we handle and in the health care world today do not strictly meet that exception and putting a business and so often we get clients to just say well let's just enter into a baa that likely mitigates your risk and your liability a little bit but it does not automatically mean that you are compliant with HIPAA at that point and that you're allowed to just go ahead and disclose thi because you get in otherwise have a reason that is explicitly permitted under HIPAA um so we talked about business associate now includes subcontractors so if you're a business associate you use the subcontractor who you disclose phi2 you need to have to be a employee and you also have to comply with the agency role which basically says if a business associate is carrying out a duty of the covered entity as its agent so an example of this would be distributing the notice of privacy practices for the provider to patients in the correct manner getting the correct acknowledgement that they received it and all of that so in that case that's actually the covered entities duty under HIPAA if they have delegated that to a business associate and they are the business associate has been acting as a covered entities agent they have to comply with all of the requirements of HIPAA that would apply to the covered entity in that case that language now explicitly has to be in a business associate agreement between the parties on one thing that came out in the Omnibus final rule but we still feel is that parties do not have to report to the Department of Health and Human Services if a breach of a ba a cannot be cured and termination is infeasible so the flip side of that is that it used to say if there's a breach of the VAM terminate the BAA which we all we see in all our bas if it's not feasible to terminate the vaa then you have to then you should report that to the Secretary of HHS I suspect that the Secretary of HHS did not decide it at some point they didn't want to get all those reports anymore and so that requirement however it was a carryover it was in I believe the interim final rule and then dropped in the in the Omnibus final rule and so a lot of people have already updated their their bas to include this requirement this reporting requirement and we strike it because why do you want a reporting requirement in your contract if you don't actually have to do it so that's one to look out for and then the key prohibition now with respect to business associate agreements is that the BAA cannot authorize the business associate to use their further disclose pahi in a manner that would violate HIPAA if the covered entity did it so a covered entity essentially cannot go around authorizing its business associate agreement its business associates to use pH I in some way that's not actually allowed under HIPAA you cannot expand the permitted uses under hit but just because if your pH I is the covered entity so you should get to decide who can do what with it and that's not how it works and often we have we actually see this language included in ba a is to say the covered entity will not ask the business associate agreement to do that and a business associate to use pH I in some on permissible way I am going to now turn this over to Edwin and let him get into some of the nitty-gritty of what do we have to have in in a baa and then what are we allowed to have an in a baa and then we will get into sums are really as we call them hot topic some of the really heavily negotiated areas of baa I am Edwin Smith I am a healthcare associate at Maguire woods as well and we're going to as a she stated we are going to discuss the require provisions of a business associate agreement first and foremost the agreement must establish the permitted and required two uses and disclosure of pH I by the VA by the business associate it must also prohibit the business associate from using or disclosing pH I other than was permitted by the BAA and this includes using the minimum amount necessary to for the disclosure also business associates are required to use appropriate safeguards including complying with a security standards and to prevent use or disclosure of pH I other than that's provided by the agreement the business associate is also required to implement administrative physical and technical safeguards that protect the confidentiality integrity and availability of all electronic ph i that is created this includes a requiring the appropriate and necessary software and also having physical and security physical security barriers it's also required about for the business associate to ensure that any agent including a subcontractor to whom it provides fee a chai agrees to implement reasonable and safe and appropriate safeguards to protect the pH will I as well business associates are also required to make reports to the covered entity when necessary this includes when there's a security incident of which the business associate becomes aware of this does not include simple pings like when for example when a a member of their workforce forgets their password and types in the wrong password and you know the security alert is is issued for the you know simple things like that or attempted breaches that don't happen or that don't expose any pH I also business associate agreements our mess our business associates are required to to also make reports for breaches of unsecure phi2 extent possible and must identify each individual involved and other information so that the covered entity can provide notice within sixty days there's some argument out there on how quickly the the business associate must get this or the covered entity must get this up these notices out since the business associate will be doing investigations a lot of times they want to have as long as possible to report these incidents to the covered entity and but the covered entity would like to cut down on the time allowed so you'll see a good struggle in there but the covered entity in my opinion is usually allowed sixty days from when they got notice from the business associate but you'll see a struggle around there the business associate is also required to obtain written assurances from any agents and subcontractors to whom it provides thi or who creates or receives by the be FBA on behalf of this the covered entity agrees to the same restrictions and conditions that apply to business associate with respect to such information that it's received I like to change this to at least the same restrictions so that way it allows the flexibility to have harsher or more stringent restrictions into the agreement with the subcontractor business associations are are also required to make thi available upon request and in court in accordance with 45 CFR sections once explore 524 business associates are also also supposed to make available phi4 amendment and incorporate amendments to ph i in accordance with these sections this does not require the business associate to make all changes or all amendments that are requested this is it's only required that they make appropriate changes that are requested business associates are also required to make available information required to provide an accounting of disclosures to the individual business associates are also they are required to meet the requirements of the Privacy Rule if it has to carry out any of the covered entities obligations on the under the Privacy Rule business associates are also to make its internal practices books and records relating to the use of disclosure of pH I received from or created or received by the VA on behalf of the covered entity available as a secretary of HHS a lot of times to covered any of these likes to put in provisions that sort of broaden the these audit rights to include more than just the practices and books related to the pH I you'll want to limit that because I mean that's sort of inappropriate for what's going on here with the business associate agreement in Edwin I'll just jump in for a second because there's usually some confusion about this one as well because previously this provision of the regulation said that the business associate had to make its practices books and records available to the covered entity or the secretary for these purposes and the covered entity portion of that was struck in the Omnibus final rule so a lot of times we still see that language in there and then as admins mentioned even expanding that audit right beyond that but that is a very small nuance between the prior regulations and the Omnibus final rule that we often get tripped up on and covered in ADIZ you know will sometimes use to try to sneak in a little on it right um the business associate during it at the termination of the business associate agreement must return or destroy all thi which is received or created on behalf of the covered entity and retain no copies of the ph i there is an exception if return or destruction is infeasible then the business associate must must extend the protections of the business associate agreement to the ph i indefinitely oftentimes the covered entity would like to have some sort of rights to determine whether infuse of infeasibility is if the if the return is infeasible or not or the destruction is infeasible or not and a lot of times I like to strike that because the fact that can be a fight also the the business associate agreement must authorize termination of the of the business associate if the business associate has violated a material term of the agreement as far as permitted permitted provisions are the business associate is permitted to use pH is necessary for its proper management and administration or to carry out business associates legal responsibilities although this isn't required this can be a deal-breaker for a lot of business associates if they need this to for the function of their business also business associates are permitted to or may be permitted to add in the provision to disclose pH I if the disclosure is required by law if necessary for again for the proper management and administration also another point of contention can be the provision of data aggregation services within the business associate agreement related to the healthcare operations of the carpet entity that can also be sort of a touchy point when negotiating these business associate agreements and now we're going to discuss the hot topics surrounding these business associate agreements just to start off overly expansive definitions I like to sort of keep the definitions as close to HIPAA as possible because you know the opposing party can add things that you're not expecting for example with the security incidents as I mentioned earlier you want to you don't want to have to make a report every time there's a small ping on your system for an attempted breach or or someone's password is logged in incorrectly things of that nature could you know be over overbearing for a lot of entities the timing of for breach notification can also be a testing one as well as I mentioned earlier to it you want to be able to have some flexibility in investigating what happened if you have a 24 hour turnaround it's pretty difficult to have an investigation and to even determine if there's been a breach so that's something where you know the covered entity and the business associate may differ and there may be some room for negotiation we also have breach notification and mitigation response responsibilities lots of times we see where the covered entity has a certain way that they want the breach notification to be delivered how once how they want it to be drafted and whatnot and that can be an issue if you know the covered entity has standard templates with it that they use across their their their business and and whether you know this may add to extra work for them and I will say to that you know actually technically under HIPAA breach notification is the responsibility of the covered entity so in some cases they will delegate that down to the business associate and that's kind of up to the business associate whether or not to accept that responsibility to make breach notifications and even to pay the next bullet is payment for for breach notifications and mitigation but often business associates will push back on that and will say will cooperate with you to get all the information together that we need to get of notifications and even will pay for the cost of it but we're not going to take on the affirmative responsibility to provide the breach notification to make sure they're done correctly in compliance with HIPAA you know even if it's the business associates actual fault at that point so oftentimes the compromise ends up being like I said we'll help you we'll even pay for the actual reasonable cost of it but we're not going to take the delegation of that full responsibility other hot topics include indemnity and limitations of liability one of the things about being a business associate is that most of the indemnity rights seem to flow from the business associate up to the covered entity because just the nature of these deals the business associate is most at risk of you know of having the breach that affects the covered entity and not the other way around but still there's there's limitations that you're going to want to put on your liability a lot of times we see that you know the limitation of liability are capped at the fees that be agreement of the underlying agreement is on we also have insurance is always a hot topic audit rights as I mentioned before you want to limit the ability of an another the covered entity their ability of giving your books and just kind of keeping it to the the provision of thi yeah so all of these things are oh sorry on when I didn't mean to cut you off but all the things are essentially like the business associate how much is the businesses be willing to give to the covered entity that is not technically a required under HIPAA so things like requiring a business associate to have insurance Aude it right giving them the right to cure a breach before the VA is terminated all of those things are you know not rights that a covered entity necessarily has under HIPAA to put in a business associate agreement and not necessarily obligations on the business associate under HIPAA but they're just purely negotiated provisions that we see often in das and I will say going back up to indemnity one interesting point is that a lot of times it's very very common to have indemnity in a in a BA a and oftentimes businesses as leads don't fight back on that we just wanted to limit it as much as possible and make it make it reasonable and but when business associates do push back on indemnification a lot of times we do go back to the fact that business associates are now directly liable to OCR under HIPAA for violations so the argument there if you're a business associate is that if you're doing something wrong or if you cause a breach and it's because you did not have the right procedures in place OCR is going to come after the business associate directly and not after the covered entity for that liability now so recovered enemy doesn't really have that much exposure and that much liability at least under HIPAA we can get into a Savi covered entity will point out that there could still be state law issues potentially you never know depending on the state but typically you can take the position as if this associate that because of the revisions to hit but you don't have that much exposure liability and as long as we're agreeing to pay for the cost of a breach that we caused you know which is sort of a very limited form of indemnification then that should be good enough for you and we're not going to agree to provide a full indemnification provision so we can really that's one of the the biggest hot topics I would say and we can really run the gamut from you know big full and demonstration provisions that the business associate doesn't mind to add to completely refusing to include an indemnification in any scenario in the BAA and so like like I said just going through all of these you know does the businesses we get the right to cure a breach of the BAA before the covered and then Deacon terminate it Edwin already touched on can the covered entity have a say in whether the business associates return or destruction of pahi is infeasible all of the timing requirements are all negotiable the covered entity has certain timing requirements under HIPAA for reporting breaches for giving a patient or an individual access to phi4 amending that pH I on all of these requirements they're all in the covered entity and HIPAA says the covered entity has to do these within a certain amount of time what HIPAA does not say is when the business associate needs to get the required information to the covered entity in order for the covered entity to fill is out to take care of all of those duties and so you know like Edwin said from a covenant from a business associates perspective you want as long as possible from a covered entities perspective you want the shortest time possible so that you can get all of your ducks in a row with the covered entity within the HIPAA defined amount of time that you have to do that on we talked about cloud service providers another way that that covered entities can seek to get a little bit more like control as well as having the right to approve any subcontractors that the business associate want so as we talked about it's required that the BAA say if you use a subcontractor you will enter into a subcontractor ba a with that vendor but who gets to pick those vendors is not dictated by HIPAA and so business associate would like to have control over that a covered entity in some cases would like to know all of the subcontractors and entities and vendors that are having anything to do with its pH I so that tends to be a heavily negotiated area is that if that pops up in a covered entities form um then we get into state law requirements so some people will take the position that a HIPAA business associate agreement is what is required and we just need to meet the HIPAA requirements anything else we agree on and going beyond that is not appropriate we don't need to get into state law it's not a requirement under state law to have this contract let's keep it at what's the minimum that's required covered entities of course if they know that most of their the individuals whose pH I they're in charge of or that they have are in a certain state then they're going to want to squeeze in as much as that to the business associate agreement if they possibly can because they want to have it in writing that the business associate will comply with all all applicable laws and you'll see in the in the last slide that there's a lot of other laws as well that we tried that covered individual sometimes try to get in there encryption is again not required by HIPAA and but often covered entities will try to put that requirement on the BAA in the cover in the on the business associate excuse me in the BAA and sometimes this one so these are fine with that because they use encryption they meet all of the standards it doesn't matter if it's in the contract or not and some business associates would not like to have their security protocols dictated and controlled by the BAA where they would breach a contract if they don't mean it and so you get two sides of that equitable relief so can the covered entity automatically get go to court and get an injunction if the business associate associate violates the BAA who as the business associate you want to say well you can go try to get it but you still have to prove your case right you still to prove that you're entitled to injunctive relief whereas the covered entity wants the BAA to say we agree that we need these elements that were required to prove for injunctive relief and therefore we can just go get that anytime we think you've breached it there's a lot of talk right now about thi outside the borders of U of the US we have all of the new laws in Europe that are coming into play so the parties will often disagree about whether the business associate should be entitled to offshore pahi and to use subcontractors that are outside of the US and things like that that tends to be a hot topic HIPAA does not require any specific action with respect to subpoenas so we actually don't see this in business associate agreements that much but a covered entity often will like to know if a business if their business associate gets a subpoena for their pahi so that is something that as I covered when when we are negotiating on a covered entity side we like to make sure that provision is in there that the business associate will notify us on a very short much shorter timing a lot of the other timing requirements they even like 48 hours to notify the covered entity if there's a subpoena for pH I because of the nature of subpoenas and you need to move quickly if you are going to take action to try to quash the subpoena or put a protective order into place or anything like that um who gets to control litigation if there is litigation related to either drug business associates services or disclosure user disclosures thi that violates HIPPA you know for if we're getting under those indemnification provisions and there's an actual third party claim who gets to control that getting into amendment a covered entity will often want to say we get to if we think there's a change in law or we think this baa is no longer complying with HIPAA we get to unilaterally amend it so that we can bring it into compliance and we can make sure that we are not going to be penalized or liable for having a BA that's out of compliance that is of course less appealing to a business associate who want to have control over that and doesn't want new restrictions just imposed on it if they might be too onerous or might be something that could be negotiated a little bit and so that's another point of contention often the question of who owns pH I is really interesting because there's no guidance under HIPAA and of course your gut instinct is to say the covered entity obviously owns it and that is often NDAA so the business of the C it has no right of ownership or anything to that pH I and that doesn't make a huge difference except if the business associate needs for example to retain the pH I after termination of the BA a or something to that effect then you're going to want to add some language in there that explicitly permits whatever you see you need of the pH I despite the fact that the business associate does not despite the fact that the BAA says the business associate does not technically own it because that is not even not even a legal certainty at this point same with encryption anything that specifies particular IT requirements or security requirements some differences don't want that in a contract and then who has to provide notifications we talked about this and then as far as breach notifications and then also notifying the secretary if the BAA cannot be terminated once it's breached so the covered entity retains responsibility for breach notification and notification if the BA cannot be terminated is not required any longer we've discussed all those um one last slide on the hot topics and then kind of wrap this up those survival clauses who has to what provisions of the business associate agreement are going to survive after termination what's required to mean the BA and will always be in there is that if the business associate retains pH I after termination of the BA a then they have been all of the provisions of the BA a continue to apply after termination and the business associate must continue to protect that pH I beyond that it's really about contract negotiation if you agree to indemnification almost always that will survive termination but are there other requirements that you've negotiated with in the BA a that you want to survive and that does not necessarily just mean requirements on the it's associate that can also mean requirements of the covered entity oftentimes covered entities like to include provisions that if they get to terminate the BAA they also get to terminate the services agreements or any other agreements between the parties and so business associates will often push back on that we often advise business associates not to agree that they will comply with the covered entities policies or procedures or really any control of a covered entity for their compliance because you don't know what those say or how those might be amended and they could very well go beyond the HIPAA requirements for business associate and you're suddenly stuck complaining with somebody else is more strict policies and procedures the last specific point is will the covered entity be required to comply with the minimum necessary rule which says that you have to use or disclose only the minimum necessary phi2 achieve the purpose that you're going for that's a requirement technically on a business associate in often included in bas however covered entities are also required to comply with them in a minimum necessary role under HIPAA so sometimes a business associate wants to get that explicitly in the contract primarily because they want to ensure that the covered entity does not disclose a ton of extra phi2 the business associate that is not necessary that goes way beyond what's needed and then the business associate is suddenly liable for two three ten times as much ph i in protecting that ph i as they would otherwise be if it were limited to the actual minimum necessary so the covered entity is required to do it anyway sometimes the business associate feels better if it's actually in the contract and then there are just three types of rules here these are all federal rules 42 CFR deals with substance abuse information and then the gramm-leach-bliley act in the red flag rolls are more kind of financial and consumer rules and sometimes those pop up in in bas and then they don't really belong there you know a covered entity might take the position that we want to get all of our privacy all our agreements to comply with all with the privacy rules anything that could possibly apply we want it all in one document the BAA and that's fine the business associate wants to agree to that often these aren't applicable and we as a business associate would take the position that they should we should keep we need to keep this to HIPPA and any of these types of laws should be included in the underlying services agreement and then finally we have shenanigans so just a catch-all for anything that kind of funny in a baa and we you know you likely want to question it discuss it maybe consult your legal counsel so as you can see all of these hot topics are things that are not necessarily required or even addressed at all in HIPAA and it really comes down to how much control is the covered entity going to have and how much risk and liability are they going to negotiate away on to the business associate versus how much independence does the business associate need and how much risk and liability is the business associate willing to take on beyond what is actually required of the business associate under HIPPA so I know that we're out of time but I think you all will get these slides and you can look through that was our main topic was negotiating business associate agreements and the rest are just kind of interesting tidbits about litigation at their settlement actions with OCR that did actually involve business associates which didn't happen for a long time and has just been getting started in the last couple years so OCR is really making it or that businesses that they will come after business associates and they will come after covered entities for not having business associate agreements in place there's actually you'll see on the slides there was actually a settlement related to that more covered in II didn't have a BA in place where it should have so these issues are getting a little more intense and just a little more important in the overall spectrum of Hippo liability so with that and your one minute over we will we will go and conclude I want to thank everybody for attending and I'm just going to click through so our contact information is here please feel free to reach out if you have any questions further questions I know there are some unanswered questions in the webinar so we will get back to you on those shortly and again thanks for attending and let us know if we can ever do anything to help you all with your HIPAA compliance