Addressing a HIPAA Business Associate Agreement Conundrum — Indemnification Provisions

November 14, 2014Articles AHLA Weekly


The Final Omnibus Rule under the Health Insurance Portability and Accountability Act (HIPAA) is now in full force, and presumably covered entities (CEs) and their business associates (BAs) have their required Business Associate Agreements (BAAs) in place. By this time, most CEs and BAs should have become more sophisticated and cautious regarding the negotiation of, entry into, and analysis of, a BAA. A party to a BAA (or a Subcontractor Agreement (SCA[KMJ1] )), for that matter), whether a CE, BA, or subcontractor, is likely to have confronted, or may confront in the future, the question whether to agree to, demand, request, submit to, negotiate, or permit an indemnification provision under a BAA or SCA. (Although this article will limit its discussion to BAAs, the principles involved are equally applicable to SCAs as well.)

Often a CE or BA will be party to many BAAs with materially different indemnification provisions.Some BAAs may contain no indemnification provisions. CEs and BAs would do well to inventory their BAAs to ascertain their individual and aggregate level of indemnification exposure and/or benefit.

On January 25, 2013, the U.S. Department of Health and Human Services published “Sample Business Associate Agreement Provisions,” which was noteworthy as to its silence on indemnification, perhaps due to the complexity of the matter and the lack of specific references to the subject in HIPAA or its regulations. Nonetheless, whether or not to include an indemnification provision, and the legal consequences that may result, has been and will continue to be, a significant issue for parties to BAAs.

There are a number of common themes that, at a minimum, may determine in a specific case for a party whether the BAA should include an indemnification provision. Because a breach of HIPAA, especially in the areas of privacy and security, can result in potential enormous financial liability, damaging publicity, negative client and customer reactions, and large monetary penalties for affected CEs and BAs, appropriate attention should be given to indemnification provisions in crafting BAAs. This article lists a number of considerations regarding whether to include an indemnification provision in a BAA. The article then analyzes sample indemnification provisions that have been derived from BAAs, as well as related BAA terms that may relate to indemnification. Generally, the article’s perspective is from the point of view of a BA rather than the CE because the BA generally has many more obligations and representations and warranties in the BAA than the CE.