The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Structuring Indemnification Provisions

in Business Associate Agreements Allocating and Transferring Risk in Healthcare Contracting

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

THURSDAY, FEBRUARY 25, 2016

Presenting a live 90-minute webinar with interactive Q&A

Matthew R. Fisher, Mirick O'Connell, Worcester, Mass.

Rachel V. Rose, JD, MBA, Rachel V. Rose – Attorney at Law, PLLC, Houston

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-819-0113 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail sound@straffordpub.com immediately so we can address

the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Disclaimer

THE INFORMATION PRESENTED IS NOT MEANT TO

CONSTITUTE LEGAL ADVICE. CONSULT YOUR

ATTORNEY FOR ADVICE ON A SPECIFIC SITUATION.

4

5

Structuring Indemnification Provisions in Business Associate Agreements

Matthew Fisher, JD

mfisher@mirickoconnell.com

Rachel V. Rose, JD, MBA rvrose@rvrose.com

February 25, 2016

6

Overview

• Intro to HIPAA and BAA Regulatory Requirements

• Types of Indemnification Clauses & Their Impact on Other Contractual Provisions

• Considerations for Attorneys and Other Professional Responsibility Issues

• International Considerations

• Practical Negotiation Considerations

6

7

Intro to HIPAA and BAA

Requirements

8

Legislative History

• 1996 -HIPAA (Public Law 104-191) – need for consistent framework for transactions and other administrative items.

• 2002 – The Privacy Rule (Aug. 14, 2002)

• 2003 – The Security Rule (Feb. 20, 2003)

• 2009 - Health Information Technology for Economic and Clinical Health (“HITECH”) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) (Feb. 17, 2009)

• 2009 – The Breach Notification Rule (Aug. 24, 2009)

• 2010 – Privacy and Security Proposed Regulations (Feb. 17, 2010)

• 2013 – Omnibus Rule (Effective March 26, 2013, Compliance Sept. 23, 2013).

8

9

Business Associate

A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.” Business associate includes: (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information. (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity. (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

9

10

KEY DEFINITIONS

• Confidentiality – “the property that data or information is not made available or disclosed to unauthorized persons or processes.”

• Integrity – “the property that data or information have not been altered or destroyed in an unauthorized manner.”

• Availability - “the property that data or information is accessible and useable upon demand by an authorized person.”

10

11

Business Associate

Agreement (“BAA”)

• Covered entities may not disclose protected health information to business associates or allow BAs to use PHI unless the parties have executed a business associate agreement

– Have to use reasonable efforts, but if can’t get. . .

• BAs have same obligation to have agreement in place with subcontractors

11

12

What Is a BAA?

• A contract.

• Required under HIPAA.

• Several items must be included – for example: – Establishment of permitted and required disclosures and uses

– Non-disclosure of information

– Appropriate safeguards

– Breach notification

• Require elements found in both Privacy and Security Rules

12

13

BAA Basics

• How know when one is needed?

– Will one party handle PHI for or on behalf of another entity?

– Is a service being performed?

• Covered Entity Considerations:

– When in doubt, get one executed??

• Business Associates

– Carefully consider situation, try not to be forced into signing unnecessarily

14

Is Indemnification Required in a

BAA Under HIPAA?

No.

14

15

Types of Indemnification

Clauses & Their Impact on Other

Contractual Provisions

16

What is Indemnification?

• “To save harmless; to secure against loss or damage; to give security for the reimbursement of a person in case of an anticipated loss falling upon him. Also to make good; to compensate; to make reimbursement to one of a loss already incurred by him.” Cousins v. Paxton &

Gallagher Co., 122 Iowa. 405, 98 N- W. 277.

• Law Dictionary: What is INDEMNIFY? definition of INDEMNIFY (Black's Law Dictionary)

16

17

Types of Indemnification

Provisions

• Broad Form

• Intermediate Form

• Limited Form

17

18

The BAA, Indemnification and

Additional Considerations

Relationship between the parties.

Type of indemnification.

Has due diligence been done?

Are the parties located internationally?

Have state and international laws been considered?

How does the indemnification clause impact arbitration and other related contracts?

18

19

Indemnification:

Impact on and Interrelation with Related Provisions

20

Related Provisions

• Stay away from agency relationship

• Reallocation of breach responsibility

• Limitation on liability

• Insurance coverage

• Don’t forget the underlying service agreement

21

HIPAA and Agency

• HIPAA provides that a covered entity (or a business associate) will be liable under federal common law of agency

• Then again, if an agent, may not be a business associate

22

HIPAA and Agency

• What is an agent under federal law?

– Determined by specific factual scenario

– Can the covered entity (business associate) control the activities or conduct of the other party

– what authority or obligations are being delegated

– What skill is required to perform the services

• What are avenues for control?

– Just contract? General oversight?

23

Consequences of Agency

• What happens if there is an agency relationship?

– Could result in covered entity having more direct liability

– Could go around the contract provisions

– Harder to avoid liability

• As a good practice, avoid falling into agency situation

– Disclaim this type of relationship

24

Breach Notification

• What are response obligations?

– Is CE retaining full control?

– Does the BAA assign notification or other actions to the BA?

• What is required?

– BA: notify CE, mitigate incidents and breaches

– CE: provide notification to individuals (media and HHS, depending on circumstances)

25

Breach Notification

• May require: – Indemnity for response costs

– Indemnity for other costs associated with breach

– Cooperation and assistance with mitigation, notification, more

26

Limitation on Liability

• Some party may try to put cap on what it may owe

• Apply only to specific costs?

– Only breach response?

– Cut out anything but direct damages?

• i.e. no punitive, special, indirect, consequential, or other damages

27

Limitation on Liability

• Other Considerations:

– Disclaim for damages caused by subcontractors

– Seek comparative fault: each party responsible only for what it caused

28

Insurance Coverage

• Should insurance coverage be required?

– General liability, cyber, privacy, other?

• Can it be obtained?

• If include, identify policy limits

• Be aware of exclusions and conditions

• Could indemnification invalidate?

29

Insurance Coverage

• If include, consider:

– Require CE/BA, as applicable, be named as additional insured

– Ask for certificate of insurance and actually review

– Being able to review and/or approve coverage

• But be careful of exerting too much control

– Require notification in advance of any change or cancellation

– Tail coverage

30

The Service Agreement

• Don’t forget, the BAA attaches to a Service Agreement

– Does not exist in isolation

• What terms are in the Service Agreement?

– Limitation of Liability?

– Indemnification?

– More

• Which agreement (Service or BAA) controls?

31

Considerations for Attorneys and

Other Professional Responsibility Issues

32

Indemnification and Lawyers’

Professional Rules of Responsibility

• Some states do not allow it (North Carolina, New York, Illinois, Indiana, Kansas, Missouri, Arizona and Florida)

• Is the party a non-profit or for-profit? • Request a formal ethics opinion

– Found in State Bar ethics opinions - NYC Bar Association Ethics Opinion 2010-3 http://www.abcny.org/nycbar/index.php/ethics/ethics-opinions-local/2010-opinions/844-settlement-agreements-requiring-the-financial-assistance-of-counsel

– Under the New York Rules of Professional Conduct, attorneys signing hold harmless agreements along with their clients is a violation of Model Rules 1.8(e), possibly creating a conflict of interest. In addition, it is in violation of NY Model Rule 1.7(a).

32

33

To Include or Not To Include…

• Factors to address when considering an indemnification provision Who are the parties?

What are the relevant state laws?

How have the parties’ HIPAA compliance been evaluated?

What third parties could impact the contract?

Will a breach of a BAA provision cause harm?

34

Who are the parties and where are

they doing business?

35

Recovery of Attorney Fees

Long v. Abbruzzetti, 254 Va. 122, 128 (1997).

("[W]e recognized that, in the absence of contractual or statutory liability, attorneys' fees incurred in present or previous litigation between the same parties generally are not recoverable. However, we also stated that when a breach of contract has forced a plaintiff to maintain or defend a suit against a third person, the plaintiff may recover reasonable attorneys' fees incurred by him in the former suit.")

36

International Considerations

37

International Issues

• The reach of the U.S. Department of Justice.

• Venue, forum and arbitration clauses.

• ISO standards.

• The laws of other countries.

• Legal consequences (e.g., criminal and civil) of breaches outside the United States.

• Where is my data?

38

Best Practices for

Negotiating and Structuring

Indemnification Provisions

38

39

Best Negotiating Practices

• Who do you represent? – Covered entity?

– Business Associate?

– Subcontractor?

• What is the level and/or nature of risk?

• What is your client’s goal?

• What role will each party play?

• Who is likely to sue?

39

40

Negotiations

• Terms very often depend on each organization’s size

41

Covered Entity Considerations

• What is important from CE’s perspective? – What services are being provided?

– What is the extent of information being shared?

– Confidence in business associate

– Utilize “standard form” for all business associate agreements?

– What extent of damages want covered?

– Level of sophistication of both parties

41

42

More Covered Entity

Considerations

• Could indemnity provision boomerang because of state law?

• Is there a limitation or cap on the amount of damages that can be recovered?

43

Business Associate

Considerations

• How much leverage can the BA exert?

• Seek mutual obligation?

• Put limit on any indemnification provided?

• Other responsibilities? – i.e. professional obligations depending on type of BA

• Put pressure on CE by proposing own form BAA

• How handle a subcontractor?

43

44

Specific Business Associate

Issues

• Lawyer as BA – What professional responsibilities apply?

– Could there be an ethical conflict?

– Are you negotiating with a client over a BAA that you prepared?

– How much can you negotiate with a client?

45

Specific Business Associate

Issues

• CE as a Business Associate – Yes, this can happen

– Is the CE willing to be treated the same way that it treats its BAs?

– What terms has the CE been willing to accept from its BAs?

46

Specific Business Associate

Issues

• Hybrid Entities – Is the entire entity on the hook for the terms of the BAA?

– Can indemnification be limited to certain resources of the hybrid entity?

47

Structural Considerations

• Impact on and of liability insurance

• Can other parties benefit

• Is the indemnification provision consistent with public policy

• Mutuality

• Limit on damages

• Scope of actions covered

47

48

Structural Considerations

• Carve outs for certain acts

• What is the reality that a party can meet the indemnification obligations

• General limitation of liability necessary?

• Leave out altogether?

48

49

Questions and Contact Information

Matthew Fisher, JD, Associate Mirick, O'Connell, DeMallie & Lougee, LLP

mfisher@mirickoconnell.com

508-929-1648

Rachel V. Rose, JD, MBA Rachel V. Rose – Attorney at Law, PLLC

Attorney at Law, PLLC rvrose@rvrose.com

713-907-7442

49