Negotiating Business Associate Agreements for IT Service Providers

When negotiating services agreements with a covered entity who holds or controls protected health information, such as a healthcare provider or businesses that service healthcare providers, IT services companies are often asked to execute a Business Associate Agreement or BAA.

A BAA is an agreement that governs the use of protected health information by a third party service provider. Such agreements are fairly standardized across covered entities, and the U.S. Department of Health and Human Services offers a sample form BAA on its website here.

When reviewing a proposed BAA, the IT service provider should consider the purposes and services to be offered under the main agreement and the circumstances under which the third party will or might be exposed to protected health information.

One area that IT services providers should strictly review is any obligation to update or amend protected health information.

BAA’s may contain language that allows an individual to request an amendment to his or her covered health information.

For many IT services providers, particularly those who are data agnostic and will have no access to an individuals’ covered health information or who will be receiving encrypted data, such a request can be challenging from a compliance perspective. Service providers who are providing data back up or disaster recovery services, in part particular should pay close attention to such requirements. In providing such services, the IT provider often has no ability to make such amendments.

In approaching the negotiation of a BAA, consider alternate language that clearly delineates who has responsibility to update data sets and consider alternate language such as the IT services provider will provide notice to the covered entity in the event that an individual requests access to or amendment of his or her protected health information.