As providers continue to rely on software vendors to maintain protected health information ("PHI"), a well-drafted business associate agreement ("BAA") becomes increasingly important. The BAA will set forth the obligations between providers and business associates such as software vendors with respect to the PHI.
Software vendors will often attempt to insert language into a BAA allowing the vender to block the provider's access to the PHI, e.g. if the provider and vendor have a dispute about payment.Under recent guidance issued by the Department of Health and Human Services Office for Civil Rights ("OCR"), BAA clauses that limit provider access to PHI violate the HIPAA Privacy and Security Rules.
OCR gave multiple reasons why such clauses render both the provider and the vendor HIPAA non-compliant. One reason is that a vendor may not use PHI in a manner that would violate HIPAA. Blocking provider access is therefore an impermissible "use" of the PHI. Additionally, a business associate is required to make PHI available to the provider. The provider is in turn obligated to make PHI available to the patient. These obligations cannot be circumvented by means of a BAA.
Notably, providers are now obligated to make sure that the relevant BAA protects their access to PHI. Given the increasingly complex nature of HIPAA, a BAA must be carefully drafted or reviewed.We utilize an experienced, global perspective to counsel our clients on protecting access to PHI under their BAA as well as other important aspects of the provider-business associate relationship.
If you have any questions or require legal guidance with respect to drafting or reviewing a BAA, business associate relationships, HIPAA compliance, or any other legal issues facing your practice, please do not hesitate to call one of our experienced healthcare attorneys at 212.668.0200 or email the firm at firstname.lastname@example.org. Our healthcare partners have years of experience representing New York practices in numerous vendor and business associate transactions, as well as mergers & acquisitions, buy-ins/buy-outs, partnership formations/dissolutions, general commercial litigation matters, and defense of physicians and other healthcare providers in civil, administrative, disciplinary and criminal proceedings.