HIPAA compliance: Protect yourself from others' mistakes

A few months ago, a client called to review a business associate agreement (BAA) they were about to sign with a well-known company whose entire business is providing services to insurance agencies (names have been left out to protect… the other party). Upon review, we discovered there was no indemnification clause in the agreement. Our concern sparked a call between our team, the agency, and the vendor, during which we were informed that the company’s board had explicitly forbidden the legal department from offering indemnification in their service agreements with agents – even though they are often the one holding all of the protected health information (PHI) that the agency has on their clients.

Today, when so many agents, brokers, and consultants rely on third parties to support their daily operations, you must understand what your exposure is if your valued business partners fall victim to an event that results in a HIPAA breach.

So, what is an indemnification clause, why is this so important, and why should your group insist on this in your BAAs?

Imagine you borrow a friend’s car, and while driving around, you have an accident. Everyone involved – your friend, you, and the other party involved in the accident – must clearly understand who is responsible. Fortunately, there are protections under auto insurance rules that determine whose policy covers the accident.

Does your BAA protect your agency? Probably not…

 When it comes to PHI, you have a responsibility to your clients to protect their information, and by having a BAA, your subcontractors are agreeing to protect this information, too. If you don’t have the proper indemnification clauses in the agreement, you could be left holding the bill if your subcontractor has a breach. You could sue the subcontractor, but clearly defining responsibilities is better and cleaner for your business. If a subcontractor has a breach, they should accept responsibility and be willing to make your company whole. Remember, contracts aren’t there for when everything goes right; they are there if there is an issue, so responsibilities must be clearly defined.

What’s covered and who pays?

Here are the key reasons why indemnification provisions are essential for agencies:

• Safety shields: Indemnification clauses are like shields, protecting one party if the other has an issue. If someone wrecks your car,  they might have to pay fines or legal fees.

• Sharing the risk: The person who drives or, in the case of your BAA, handles your PHI is the responsible party. Your BAA must clearly define who is accountable to protect your organization.
• Reminders: Indemnification clauses remind your contractors to follow HIPAA’s Rules and protect the PHI you’ve entrusted to their care. 

• Breach notification: The BAA needs to inform everyone immediately about an issue and help clean up the mess as best as possible. Breach mitigation could mean telling the affected parties and/or financially stepping up to pay for credit monitoring. 

Indemnification clauses in HIPAA-related contracts are essential in outlining responsibilities and safeguarding parties against legal liabilities. Reviewing your BAA to ensure it has the proper provisions to protect your organization if there is a breach is imperative. If you haven’t checked your BAAs recently, now is the time to review and renew those agreements and ensure they protect your organization and livelihood.