1 / 40

Vendor Privacy: Due Diligence and Contracting Solutions

Vendor Privacy: Due Diligence and Contracting Solutions. William J. Roberts, Esq. May 31 , 2017. Agenda. Overview of Data Breach Landscape Vendor and Privacy Strategy Privacy Agreements with Vendors Common Vendor Privacy Disputes. Introduction.

kinsey
Download Presentation

Vendor Privacy: Due Diligence and Contracting Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Vendor Privacy: Due Diligence and Contracting Solutions William J. Roberts, Esq. May 31, 2017

  2. Agenda • Overview of Data Breach Landscape • Vendor and Privacy Strategy • Privacy Agreements with Vendors • Common Vendor Privacy Disputes

  3. Introduction • Counties may be subject to numerous data privacy and security laws. • Those counties which provide health services often find that these services and related facilities must comply with specific health care privacy laws, namely HIPAA. • Other laws may also apply (Part 2 rules, state law) • Our goal today is to address how to comply with these laws and manage privacy risk with respect to vendor contracting in the health care context.

  4. Keeping Control • Do you know who has your data? • What are they using it for? Will they give it back? • What laws apply to the data that you disclose or make available? • Would you know if they lost itor if it was stolen? • What risks exist – business, legal, public relations, customer relations? • What data should you be worried about? • Student, patient, member data • Customer data • Proprietary trade secrets, financial information • Employee data

  5. What Could Possibly Happen?

  6. 3 Part Strategy

  7. Organizational Policies • Don’t limit your privacy and security policies to only HIPAA compliance – while important, HIPAA is not the only privacy and security concern a covered entity or business associate should have. • Proprietary information and trade secrets. • State privacy laws. • Ensure that policies apply to all vendors, and not merely those subject to HIPAA. • Revisit policies regarding access to premises and information systems. • Determine when your organization requires a non-business associate to enter into a confidentiality agreement.

  8. Due Diligence • Consider implementing a vendor screening tool as part of your contracting process. • Obtain privacy and security information and assurances from a potential vendor prior to entering into negotiations. • Receive comfort that a vendor who will have access to your premises or information systems is cognizant of privacy concerns, takes privacy seriously and has a privacy and security plan in place. • Use vendor screening tool as a way to periodically monitor vendor and remind vendor of privacy and security expectations (i.e. annual or bi-annual re-certification). • Make privacy and security a factor when choosing vendors.

  9. Confidentiality Agreements • Several options exist for binding a vendor to confidentiality requirements: • Business Associate Agreement; • Traditional NDA or confidentiality agreement; • Preparing standard, organization-approved language to insert into services or other agreements; and/or • Compliance Addendum. • Many organizations have developed all three and use them in different situations. • Consider a confidentiality tool to guide business owners regarding when to use which form/language.

  10. Business Associate Agreements • The business associate agreement or “BAA” is the agreement entered into between the covered entity and the business associate to govern the business associate’s creation, use, maintenance and disclosure of PHI. • Typically a separate agreement that applies to one or more underlying agreements, such as service contracts. • May also be an addendum or embedded in the body of the service agreement. • Generally, a best practice is to have only one business associate agreement between one covered entity and one business associate to govern all agreements and relationships between the parties.

  11. Vicarious Liability • A covered entity may be liable for the acts or omissions of its business associates, and a business associate may be liable for the acts or omissions of its subcontractors. • When are you liable? • You may be liable if the business associate/subcontractor is your “agent”. • No bright line rules for when a business associate/subcontractor is an agent – facts and circumstances approach. • Key factor: If you can control the business associate’s or subcontractor’s conduct, the business associate or subcontractor is likely your agent.

  12. Vicarious Liability • Reducing Your Exposure: • Attempt to structure vendor relationships to avoid vicarious liability. • Consider how much ability to control a business associate’s or subcontractor’s acts you need (if any). • Agreements should be narrowly tailored to specific tasks and obligations. • Language saying “not an agent” is insufficient. • Do you really need to disclose PHI?

  13. Vicarious Liability • Reducing Your Exposure (cont.) • Consider conducting due diligence prior to contracting with business associates. • Don’t assume the business associate complies with HIPAA. • Consider requesting to see copies of HIPAA policies and procedures. • Consider security review and audits. • Note: Do you have the time, money and resources to take the above actions? If not, consider a more modest approach, such as a vendor questionnaire.

  14. General Considerations • Develop your own form business associate agreement. • Worth the exercise to determine what you want in the agreement and what your risk profile is. • Try to start with your own form and negotiate from there. • When negotiating a business associate agreement, your goal should be to protect your organization – not to argue/win on every point. • In other words, stay focused and don’t over-lawyer. • Recognize your bargaining power and market position and be realistic in what you can achieve.

  15. Key Terms and Provisions • When drafting, reviewing and negotiating business associate agreements, one should be focused on certain key terms. While all parts of the agreement are important, these are the terms that are most likely to affect the parties’ liabilityand obligations: • Breach notification and mitigation • Cooperation • Indemnification • Insurance • De-Identification • Security Safeguards • Change of Law

  16. Breach Notification • HIPAA requires covered entities to notify affected individuals of a breach of their unsecured (i.e. unencrypted) PHI. • Notifications may also be necessary to the media or government regulators. • States may have their own notification requirements, such as to an Attorney General or consumer protection department. • Notifications must be made as soon as practicable but within no more than 60 days of discovery. • HIPAA requires a business associate to notify a covered entity of a breach of unsecured PHI as soon as practicable but within no more than 60 days of discovery.

  17. Breach Notification • Negotiation Points: • While up to 60 days is permitted by law, regulators will not look fondly upon covered entities who give their business associates that much time – push for a shorter maximum reporting time frame. • If a business associate is concerned about producing a list of affected individuals within a very short time frame (e.g. 3 days), consider a bifurcated obligation – tell the covered entity of the breach first, and give the covered entity the necessary information later. • Make the business associate responsible for receiving timely reports from its subcontractors. • Consider state laws that may require quicker breach reporting, particularly when Social Security numbers are involved.

  18. Breach Mitigation • In addition to breach reporting, many covered entities expect more from their business associates. In other words, if the business associate caused the problem, they own the problem. • Consider: • Require business associate to take reasonable steps to mitigate any potential harm from the breach, including such steps as the covered entity may reasonably require. • Include specific actions the business associate must take, such as attempt to retrieve any lost or stolen information or operate (or arrange for) a call center through which affected individuals can have their questions answered. • Require the business associate to make its records, personnel and advisors available to the covered entity for purposes of the covered entity completing its investigation of the breach.

  19. Cooperation • Investigations. • When under investigation by an Attorney General, the Office for Civil Rights, or another state or federal agency, cooperation by the business associate is often vital. • Include a provision in the BAA that requires the business associate to participate in the investigation and provide the information the covered entity needs. If the investigation is due to an act or omission of business associate, business associate’s cooperation should be at its cost and expense. Otherwise, covered entity typically is required to reimburse the business associate for its costs. • Access to Books, Records and Policies. • At times, a covered entity may want to conduct “due diligence” on a business associate to verify compliance with the BAA or HIPAA. To do so, business associate should be required to make relevant books, records and policies available to the covered entity on a confidential basis.

  20. Indemnification • Indemnification is the concept through which the party at fault makes the other party whole; in other words, the breaching party will pay the costs, expenses, fines and losses the non-breaching party incurs as a result of the breaching party’s act or omission. • While many underlying agreements will address indemnification, it is often best to specifically address indemnification in the business associate agreement and how it applies to the use and disclosure of PHI. • Goal: to not incur costs or damages due to the act or omission of the other party. Costs and damages typically are incurred under a business associate agreement with respect to data breaches and HIPAA violations.

  21. Indemnification • Negotiating Points: • Business associate should be responsible for all costs the covered entity incurs due to a breach or violation of law/the BAA. If the business associate refuses such a “blank check,” the indemnification clause should specify the costs for which the business associate will be responsible (e.g. attorney fees, notification costs). • Caps? Many business associates will want a cap or a limitation on their liability. While often reasonable, seek to tie the cap to the amount of PHI or the risk profile of the arrangement. Also consider linking indemnification to insurance (to be discussed later on). • Be careful about limitations on liability contained in the underlying agreement.

  22. Mutual Indemnification • Often, one party will propose replacing a standard indemnification clause with “mutual indemnification.” This means that each party will indemnify the other, typically for the same costs and damages. • Negotiating Points: • Mutual indemnification is generally more beneficial to the covered entity than the business associate because in a business associate relationship, the covered entity is more likely to be the one seeking to recover costs or damages. • In a business associate agreement, the business associate is the party more likely to violate the agreement because they have more obligations under the agreement.

  23. Breach Reimbursement • When indemnification is not on the table, or is unnecessarily delaying negotiations, consider breach reimbursement as an alternative. • Focusing business associate liability on breach reimbursement benefits the business associate by limiting the scope of potential liability, and the covered entity by protecting it against its greatest monetary risk. • Consider: • Caps - tied to insurance? • Identifying specific costs to be reimbursed (e.g. call center? attorney fees?). • Reimburse for subcontractor breaches.

  24. Insurance • An indemnification clause is valuable only to the extent the indemnifying party can pay what is owed. Given the high and increasing costs of data breaches and HIPAA violations, covered entities often feel more secure knowing that a business associate has appropriate insurance to cover indemnification obligations. • Negotiating Points: • Generally speaking, insurance is more important when dealing with a small, financially insecure business associate than a large, established company (e.g. a one-person start-up vs. large public company). • Not just any insurance will do – traditional liability and malpractice policies won’t cover breaches – require cyber liability insurance.

  25. Insurance • Negotiating Points (cont.) • Establish minimum insurance limits that the business associate must maintain throughout the term of the business associate agreement. • Consider tail coverage – some breaches are discovered only after the arrangement ends. • Don’t limit your indemnification to the insurance coverage – insurance doesn’t cover everything and you still want to be made whole regardless of the scope of the applicable insurance policy. • Consider a bifurcated cap – covered costs paid by, and to the maximum amount of, insurance; other costs paid out of pocket. • Note: Insurance typically does not cover fines or penalties. • How much to require? Depends upon the amount of PHI, the risk profile of the arrangement, and the bargaining positions of the parties.

  26. De-Identification of PHI • De-identification is the process by which certain identifiers are removed from PHI so that the subject of the PHI can no longer be identified. • Many vendors seek a right to de-identify PHI they receive to use for their own purposes, such as research or quality improvement. • When vendors first started doing this, covered entities often sought to prevent de-identification in the business associate agreements. However, it has become much more common and largely accepted. • Negotiating Points: • Require that any de-identification be performed in accordance with HIPAA. • Require covered entity identifiers to also be removed. • Hold the business associate responsible for improper de-identification.

  27. Security Safeguards • Review what type and how much information you are providing to a business associate – given the risk profile of the PHI being provided, should the covered entity require any particular safeguards to be employed by the business associate? • Consider the following: • Mandate encryption when PHI is emailed or stored. • Mandate confidentiality agreements with business associate employees with access to the PHI. • Mandate adherence to any applicable state laws or standards. • Prohibit storage of PHI on personal devices or servers.

  28. Change of Law • HIPAA and its implementing regulations, as is true with many health care laws, are routinely being amended, revised and re-interpreted. Because of this, an arrangement that is legal today may become questionable, more risky, or even illegal tomorrow. • To address this concern, consider the following: • Covered entity retains the right to amend the business associate agreement in the event of a change in law. • Covered entity may do this unilaterally (preferred) or in consultation with the business associate. Failure to agree to a timely and satisfactory amendment would terminate the business associate agreement and the underlying agreement. • Negotiating Tip: Don’t be held hostage by the other party – ensure an ability to modify or get out of an agreement should it become illegal or questionable.

  29. Where Do BAA Negotiations Go Awry? • Negotiators often spend considerable time and effort on BAA terms which, while important, may not be a covered entity’s priorities. These may include: • Governing law – if unable to get your preferred state, defer to the underlying agreement, go with Delaware or leave blank. • Assignment – consider whether you care if the vendor gets bought out or sold – are you interested in the person or the company? • Individual rights – many vendors won’t have a “designated record set” and won’t be subject to the individual rights provisions. Consider if the provisions apply to the business associate arrangement prior to negotiating.

  30. Non-BAA Confidentiality Agreements or Clauses • While BAAs are crucial, don’t ignore non-BA vendors or other third parties. • Even non-BAs pose a data privacy and security risk with respect to patient data as well as corporate, employee and other non-HIPAA data. • The extent and scope of such requirements should be based upon the risk to the organization. • Key Terms: • Commitment to confidentiality • Compliance with laws and policies • Incident reporting • Reimbursement

  31. Confidentiality Requirements • Define confidential information. • Prohibit requesting or accessing confidential information outside the scope of the engagement. • Maintain confidential information obtained through “incidental” use or disclosure in strict confidence. • Do not maintain, copy or misappropriate any confidential information. • Notification of any subpoena or government request for the confidential information. • Utilize commercially reasonable safeguards to protect the confidential information. • Require employees, agents and subcontractors to agree to the same requirements.

  32. Compliance • Require vendor to comply with all applicable law, including state data privacy and security laws. • Require vendor to comply with all organizational policies and procedures regarding access to information systems or premises, including: • User authentication; • Sharing of passwords; • Visitor sign-in/out and badge requirements; and • Remaining accompanied by organization personnel while on-site.

  33. Incident Reporting • Require vendors to report data security incidents. • A data security incident may be defined as any use or disclosure of confidential information in violation of the confidentiality agreement. • Key Requirements for Vendor: • report the incident; • safeguard the confidentiality of the information involved in the incident; • take reasonable steps to destroy or return the information involved in the incident; and • take reasonable steps to mitigate any harm from the incident.

  34. Reimbursement and Liability • Particularly if a large amount of data is involved, or the potential exists for access to sensitive information, consider: • Incident Reimbursement: Require vendor to reimburse organization for any costs, fines, penalties or expenses incurred as a result of the incident. Consider specifying which costs (if not all), cap on liability (tied to insurance?), insurance mandate, and exceptions to reimbursement (vendor not solely to blame?). • Indemnification: Vendor holds organization harmless and makes organization whole in the event of a claim arising from the vendor’s use or disclosure of data. • More important in light of growing negligence claim activity.

  35. Compliance Addendums • Don’t limit yourself to privacy and security – for example, the compliance addendum is a great opportunity to address other pertinent legal issues applicable to your organization. • Consider: • Exclusions • HHS Access to Records • Use of Names/Marks • Conflicts of Interest • Inducements • Compliance with policies/procedures • Joint Commission

  36. Vendor Privacy Disputes • Contractual Disputes • Security Incidents • Data Breaches

  37. Contractual Disputes • Contractual disputes regarding privacy arise when obligations regarding the use, disclosure and return/destruction of confidential information/PHI are not clearly specified. • To minimize disputes, consider: • Vendor internal use of information; • Vendor obligations upon receipt of a subpoena or government request for information; • De-identification (e.g. does a risk of identification remain? May your organization be identified?); • Retaining copies of data upon termination of agreement; and • Aggregation rights.

  38. Security Incidents • For purposes of HIPAA, a security incident “means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” • Focus on which security incidents you want to be notified of – consider agreeing that unsuccessful incidents will occur and that a contract is “notice” of such incidents. • Recognize that you may want to be notified of incidents even if they don’t involve PHI. • Ensure a right to ask more questions and get information as needed in case you want to conduct an evaluation.

  39. Data Breaches • In a data breach situation, a covered entity should consider the following when dealing with a vendor: • Prompt/immediate notice of incident; • Timely production of available data; • Cooperation and mitigation; • Be wary of assigning notification obligations to a BA – if so, be sure to have very strong contractual language; and • Don’t burn bridges – in a breach, you need your vendors and their good will.

  40. Questions? Contact Information William J. Roberts Shipman & Goodwin LLP 860-251-5051 wroberts@goodwin.com www.shipmangoodwin.com

More Related