Questions often arise as to what terms need to be and should be included in a business associate agreement. The distinction between “need” and “should” is very important. The regulations implementing HIPAA set out what “needs” to be included as failure to include all of the specified elements would leave a business associate agreement deficient. As such, the amount of negotiation on these terms is minimal and more to the finetuning of how such terms are set out.
The “should” terms present the more interesting issues. The “should” terms are not mandated by HIPAA, but can be included in the preference of the parties. One such provision is an audit right to the upper-level party (this could be the covered entity or a business associate over a subcontractor). Under an audit provision, the upper-level party often seeks the right to review, whether in person, through documentation, or some combination of the two. The stated purpose is for the upper-level entity to be able to confirm compliance by the lower-level entity with applicable HIPAA obligations.
The benefit and assurance provided by an audit can sound appealing. Instead of wondering whether a risk analysis has occurred or if a particular policy is in place, the upper-level entity can ask for or find proof by itself. Such information can prove or disprove a party’s assertions, provide comfort that the risk of a breach is not as great as feared or provide grounds for terminating a relationship among various options. The information can be gathered proactively as opposed to waiting for a bad outcome or other negative event to occur.
Despite all of the good intentions though, if an audit provision is included, the right to audit may not actually be utilized. In this instance, the audit may just be used as a persistent threat to spur a desired action or even completely forgotten. Regardless of the reason for an audit provision not be used, any non-use makes it a hollow right. What’s the danger in that though?
The danger presented by not exercising an audit right could arise in the form of liability for the upper-level entity. Take an all too common scenario, a lower-level entity mishandles protected health information because it does not appropriately account for a mobile device, misconfigures a database, falls victim to a phishing attack, or any number of causes. When a breach occurs, all parties in the chan can potentially be liable. From the upper-level entity’s perspective, it may feel comfortable that it has a good business associate agreement in place and does all of its own monitoring. But, that is not the end of the issue. If the upper-level entity includes the right to audit in the business associate agreement, what did or should it have known about the lower-level entity. For example, would an audit have revealed that the lower-level entity was not fully honest about the scope of its compliance, found inconsistent application of policies, or some other deficiency? If that deficiency could have been found, what action would the upper-level entity have been obligated to take?
These questions become important when trying to apportion or assign liability. Arguably, even though an upper-level entity does not need to include an audit provision in a business associate agreement, when it is added then the upper-level entity should follow through with exercising it because that information will aid the upper-level entity in determining whether its vendors are appropriately protecting and securing data. If the upper-level entity cannot be satisfied that appropriate protections are in place, then the relationship should be terminated unless the issue can be remedied. The result is the upper-level entity having created an unintended burden for itself.
While an audit provision can be a powerful tool, it can certainly be a matter of careful what you ask for. It is important to always fully understand the implications of a provision in any agreement, especially when a provision can create unexpected regulatory ramifications.