Entities who are Business Associates need a model BAA to use with their customers, and may also have subcontractors for which a BAA is also needed. Should you use the same agreement? Probably not! Eagle recently updated the model BAA included in our various HIPAA policy templates for Business Associates, which available in our store. And, we have now decided to give these BAAs away!
For your subcontractors, you will want to ensure that a rigorous and robust agreement is in place, and that you are protected if they make any mistakes. So this agreement includes additional language, beyond what is required by HIPAA. Here are two examples:
- Indemnification Clause: HIPAA does not require an indemnification clause, but this agreement includes one so that your downstream business associates are explicitly responsible for costs resulting from a breach that the business associate causes. The costs include, but are not limited to: regulatory fines, breach notification, breach mitigation and legal costs.
- 10 Day Incident Reporting Requirement & Preliminary Risk Assessment Requirement: Greater specificity is provided regarding the processes for security incident reporting and breach reporting. The business associate must report security incidents along with its preliminary risk assessment of the incident to the covered entity within 10 days. Further, you retain control of the process and the right to decide whether or not a security incident constitutes a data breach.
Should you use the same form, with that tough language, in the service agreements with your clients? Possibly you will need to offer these provisions to secure the business. For larger covered entities, their attorneys will want you to sign their form which will include similar tough language. However, we have a separate HIPAA BAA, fully compliant with all HIPAA requirements, but with nothing more. You may want to lead the negotiations with this form. This BAA template has less-stringent language so that if you make a mistake, you won’t be obligated to any corrective action or costs beyond what HIPAA mandates.
We are offering for download “HIPAA-Business-Associate-Agreement-For-Subcontractors” while the BAA template with less-stringent language, for use with your clients, is simply titled “HIPAA Business Associate Agreement“.
These HIPAA BAAs, along with other pages of comprehensive compliance materials, are available in three of our comprehensive HIPAA Policy and Procedure templates:
