Q&A WITH SARAH B. EDWARDS
Indemnity clauses crucial in health care billing, claims services contracts
Q: Individuals and entities are turning to third-party contractors to perform health care billing and claims services, but the cost of claims made by individuals whose protected health information was improperly accessed or disclosed can be an issue if a business associate agreement doesn’t include an indemnification clause. What’s the background of the issue?
A: Due to opportunities for cost-savings through outsourcing, entities and individuals covered under the
Health Insurance Portability and Accountability Act
(HIPAA), as amended by the
Health Information Technology for Economic and Clinical Health Act, are increasingly turning to contractors and vendors to perform certain billing, claims and even customer follow-up services on their behalf. These health plans, clearinghouses and health care providers contract with such vendors to access the protected health information necessary to perform these services through a business associate agreement. Although HIPAA and the HITECH Act address the safeguarding of protected health information by business associates, these acts don’t address who covers the cost of claims made by individuals whose information was improperly accessed or disclosed due to a breach caused by the business associate.
Q: How can indemnification clauses help?
A: A valid indemnification provision essentially secures coverage or reimbursement in the event a client or customer sues a covered entity for harm caused by a business associate. Indemnification originally was explained to me many years ago as this: if you make a mess and someone else is harmed, it’s your responsibility to clean it up, not mine. Carefully drafted indemnification clauses are a necessary component of any business associate agreement to clarify who pays and the extent of such payment/remediation for claims.
Q: How does it work in this case?
A: In addressing an indemnification provision in a business associate agreement, the parties should consider how the protected health information will be accessed and whether the business associate will store any protected health information on its systems. Storing protected health information adds an additional level of risk, versus simply accessing protected health information on a covered entity’s system. The clause should provide for the indemnification and defense of a covered entity.
If there’s a breach or unauthorized access of protected health information caused by a business associate, claims will be made against a covered entity by the individuals whose information was improperly accessed or disclosed. While a covered entity may have a direct claim against the business associate for breach of contract, without a properly drafted indemnification clause, which contractually obligates a business associate to pay, there’s no assurance for recovery of costs and attorney fees incurred in defending a suit or handling such claims.
Although indemnification isn’t required by HIPAA, it should be addressed in any business associate agreement to ensure the parties are clear on risk allocation. In addition to including an indemnification provision, requiring and maintaining insurance coverage to cover the costs of a protected health information breach or unauthorized access, investigation and remediation, as well as a robust audit provision to ensure compliance, will help to further minimize the risk of an engagement.