A Business Associate Agreement Dilemma: To Indemnify or Not to Indemnify – Ten Considerations

Winter 2014Articles Garden State Focus

Now that the Final Omnibus Rule under HIPAA, originally published on January 25, 2013, is in full force, covered entities (CEs) and their continuing business associates (BAs) should be examining their existing pre-Final Omnibus Rule HIPAA Business Associate Agreements (BAAs). While the “Effective Date” of the Final Omnibus Rule was March 26, 2013, most provisions did not go into effect until September 23, 2013. BAAs that were “already in effect” as of January 25, 2013, and were not otherwise renewed or modified from and after the March 26, 2013 Effective Date should be reviewed and modified no later than September 23, 2014, if necessary, to comply with the Final Omnibus Rule.

By this time, CEs and BAs should have become more sophisticated and cautious regarding the negotiation of, and entry into, a BAA. In this regard, a party (Party) to a BAA (or a Subcontractor Agreement (SCA), for that matter), whether a covered entity (CE), business associate (BA) or subcontractor (SC), may confront the question as to whether to agree to, demand, request, submit to, negotiate or permit, an indemnification provision (Provision) respecting the counterparty (Counterparty) under a BAA or SCA. On January 25, 2013, the U.S. Department of Health and Human Services published “Sample Business Associate Agreement Provisions,” which were silent on the matter of indemnification. Nonetheless, whether or not to include a Provision is often a major question for Parties to BAAs and SCAs.

Click here to view the full text.