A party’s responsibilities under HIPAA generally come from two sources – the law itself and the business associate agreement entered into between the covered entity (the health care provider or health plan) and the business associate (its vendor). While all parts of a business associate agreement are important, there are certain terms that are most likely to affect the parties’ liability and obligations.
One of these key terms is indemnification, and it is often the section of the business associate agreement that lawyers most often fight over. Folks often wonder why lawyers tend to focus so much on this section, and the short answer is that when things go wrong–such as a data breach or HIPAA violation–indemnification is the clause which that determines who pays, when they must pay, and how much they owe. In other words, it’s the money clause.
Indemnification is the concept through which the party at fault makes the other party whole; in other words, the party at fault will pay the costs, expenses, fines, and losses that the other party incurs.
While many underlying agreements will address indemnification (such as a service agreement or consulting agreement), it is often best to address indemnification in the business associate agreement and how it specifically applies to the use and disclosure of protected health information (PHI). Your goal is to not incur costs or damages due to the act or omission of the other party, or to at least limit your exposure to such costs. The costs and damages a party is typically most worried about are those incurred due to a data breach or HIPAA violation by the other party, such as attorney fees, notification costs, credit monitoring, or fines.
Let’s take an example of a typical data breach to demonstrate the importance of indemnification:
City Hospital hires a consulting firm to provide it guidance with improving patient outcomes. As part of the engagement, a consultant downloads a list of patient records to a laptop. Unbeknownst to the consultant, IT mistakenly failed to encrypt the laptop. While in an airport, the laptop is stolen. The consultant reports the breach to her employer and the hospital is notified.
When notice of the stolen laptop reaches a hospital executive or executive director of the consulting firm, one of the first questions asked will be: “what is this going to cost us?” When faced with a data breach that can easily cost a health care facility six figures, the first place the facility and its attorneys will look is to the indemnification clause. This paragraph will tell them who is responsible to pay the costs of the data breach (does the hospital pay or the consultant?), how much the obligated party must pay (if the consultant must pay, is there a cap?), and which costs the obligated must pay (if the consultant must pay, does the consultant need to pay the hospital’s attorney fees?)
Moreover, what if the business associate lacks an indemnification clause? In that case, someone will need to inform the hospital’s CEO that the hospital may be unable to recover its costs, or may attempt to do so only at considerable expense. No one wants to be in the position of breaking such news to the CEO.
In a future post, we will look at the most important issues to keep in mind when drafting indemnification clauses in order to appropriately protect your organization.