BAAs, Breaches, and the Art of Covering Your Assets – Ep 519 

You know that moment when someone casually slides a contract across the table and says, “Just sign here”? Yeah, don’t do that—especially when it’s a Business Associate Agreement. This episode is a deep dive into the dark corners of BAAs, the traps they hide, and why you should read every line like it’s a ransom note. From ping floods to passive-aggressive breach clauses, we unpack the weird, wild world of healthcare contracts. Oh, and stick around—because just when you think it can’t get any messier, a breach shows up to ruin everyone’s day.

In this episode:

BAAs, Breaches, and the Art of Covering Your Assets – Ep 519

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

BAAs, Breaches, and the Art of Covering Your…Assets

Language in a recent one we were asked to sign had some of the newer points I have expected to see become more routine. Here is the original language (emphasis added):

Notification of Security Incidents and Breach of Unsecured PHI. Business Associate shall immediately, but in no case longer than five (5) business days following discovery, notify Covered Entity of any actual or suspected Security Incident or Breach of Unsecured Protected Health Information. The notice shall include: (i) the identification of each Individual whose PHI or Unsecured PHI has been or is reasonably believed by Business Associate to have been accessed, acquired, used, or disclosed during the Security Incident or Breach, (ii) a brief description of what happened, including the date of the Security Incident or Breach and the date of the discovery of the Security Incident or Breach, (iii) a description of the types of PHI or Unsecured PHI that were involved in the Security Incident or Breach, (iv) any preliminary steps taken to mitigate the damage, and (v) a description of any investigatory steps taken. In addition, Business Associate shall provide any additional information reasonably requested by Covered Entity for purposes of investigating a Breach of Unsecured PHI. A Breach shall be treated as discovered by Business Associate as of the first day on which the Breach is known to Business Associate (including any person, other than the Individual committing the Breach, that is an employee, officer, or other agent of Business Associate) or should reasonably have been known to Business Associate to have occurred. Covered Entity shall have the sole right to determine, with respect to a Breach: (y) whether notice is to be provided to Individuals, regulators, law enforcement agencies, consumer reporting agencies, media outlets and/or the Department of Health and Human Services, or others as required by law or regulation, in Covered Entity’s discretion, and (z) the contents of such notice, whether any type of remediation may be offered to Individuals affected, and the nature and extent of any such remediation. The provision of the notices to affected Individuals, and any remediation which Covered Entity determines is required or reasonably necessary, shall be at Business Associate’s sole cost and expense.

We requested two additions to the contract because we don’t think what is in here is unreasonable. In fact, we have often discussed with clients the value of having this language in there. Our two requested additions:

Remove from m and add a new paragraph n:

(n) Responsibility for Notification Costs. Business Associate shall be responsible for the costs of providing notices to affected Individuals required under applicable law to the extent the Breach is reasonably determined to have resulted from acts or omissions of Business Associate or its subcontractors or agents.

Also add a new paragraph about the definition of Security Incident.

o) Security Incident Stipulation. For purposes of this Agreement, routine activities such as pings, port scans, and similar Internet background traffic shall not constitute a Security Incident requiring notification unless they result in a successful unauthorized access, use, disclosure, modification, or destruction of Protected Health Information.

Takeaways:

1. The breach costs indemnification clauses are sometimes very broad – make sure you understand what that means and determine how specific you want to be in them. Long term the specific will be better but often harder to track.
2. Check your contracts for this type of Security Incident language because you may be in a constant state of breach of contract at least technically in breach. Lawyers would have to argue the point which will only cost you a lot of money that may not end in your favor.
3. The termination language is very broad in the basic template BAA we often see. But we will be seeing more going in that section too. For example, this one happened to have the following Termination for Breach language (emphasis added):

   Covered Entity party may terminate this Agreement if it determines that Business Associate has breached a material term of this Agreement. Alternatively, Covered Entity may choose to provide Business Associate with notice of the existence of an alleged material breach and afford an opportunity to cure the material breach. If Business Associate fails to cure the breach to the satisfaction of Covered Entity, Covered Entity may immediately thereafter terminate this Agreement and report the breaching party to the Secretary.

   1. Language that further defines the termination of this for cause plus the transition is not something I would be shocked to see also begin to show up but I haven’t seen it like this in the wild here is an example though:
      1. Termination for Breach of Business Associate Agreement. In the event of a material breach by the Business Associate of this Agreement or of the Business Associate’s obligations under HIPAA, the Covered Entity may terminate this Agreement and any related services agreements without penalty or further payment obligation, except for services properly performed and accepted prior to termination. Any provisions requiring accelerated payment, liquidated damages, or early termination fees shall not apply in the event of such termination.
      2. Transition Assistance Upon Termination. Upon termination of this Agreement for any reason, Business Associate shall provide reasonable cooperation and assistance to Covered Entity to facilitate the orderly transition of services and any Protected Health Information (PHI) to Covered Entity or its designated successor. Such assistance shall include, but is not limited to, the timely provision of data, documentation, and support necessary to ensure continuity of services and to protect the confidentiality, integrity, and availability of PHI in accordance with HIPAA and other applicable law. Business Associate shall not condition such cooperation on the payment of any additional fees beyond those due for services rendered through the termination date.

1. Make sure the agreement has a Security Incident defined and it stipulates the exclusion of internet noise we expect to see all the time. Mostly due to the things about the termination.
2. Understand your reporting requirements for Security Incidents and Breaches in all your contracts now and definitely moving forward. There are specific time frames in all of them. Someone trying to stick to the 60 day thing…. Well, see item 2 above and 5 below for that one.
   1. The turn around time of 3-5 days will be standard if it isn’t already there on most contracts.
   2. Plus, I would not be surprised to see more of these kinds of clauses which allow the CE to be the one to ultimately make the notification decisions.

As a BA, you should plan to present the facts exactly as you would document them internally to determine if there was actually a breach of PHI or just a security incident. If there was a breach is there an exclusion that applies? If not, do your 4 factor probability of compromise assessment documentation and send it upstream.

1. This is the hardest one of all, though, is the flow-down clause. The BAA is required to tell you that you must have downstream BAAs for your subcontractors. That language often says something like you must have them:
   1. “agree in writing to comply with the same restrictions and conditions that apply to Business Associate under this Agreement with respect to such information”.
   2. “execute a written agreement that imposes obligations on the subcontractor that are at least as stringent as those imposed on Business Associate under this Agreement and HIPAA,”

Start asking your vendors about these clauses in your BAA and what they plan to do since it makes you in breach of the BAA to not require the same level of requirements on them.

Another Enforcement Action – SRA

Deer Oaks settlement announcement:

“Identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches of protected health information,” said OCR Director Paula M. Stannard. “An accurate and thorough HIPAA risk analysis can minimize the exposure of ePHI from both malicious actors and inadvertent errors. Based on OCR’s experience enforcing potential HIPAA Security Rule violations, the covered entity or business associate under investigation will often have deficient risk analysis practices. Common deficiencies include lacking a risk analysis entirely or failing to update existing risk analyses when implementing new technologies or expanding operations that affect the security of ePHI.”

The settlement resolves an investigation that OCR initiated in May 2023 after receiving a complaint alleging that Deer Oaks impermissibly disclosed the ePHI of individuals, including patient names, dates of birth, patient identification numbers, facilities, and diagnoses, by making patient discharge summaries publicly accessible online. OCR’s investigation substantiated the allegations and verified that the ePHI was accessible publicly via the Internet. According to Deer Oaks, a coding error in a now discontinued pilot program for an online patient portal, caused the ePHI to be exposed and cached by search engine providers from at least December 2021 until May 19, 2023. OCR’s investigation found that Deer Oaks impermissibly disclosed the ePHI of 35 individuals when it allowed the discharge summaries and initial assessments of those individuals to be accessible to the public online.

OCR expanded the investigation in July 2024 after Deer Oaks experienced a breach on August 29, 2023, of its network resulting from a compromised account. A threat actor claimed to have exfiltrated data and demanded payment to prevent posting the ePHI on the dark web. Deer Oaks provided breach notifications to HHS, 171,871 affected individuals, and the media related to the August 2023 incident.

Based on its investigation into both incidents, OCR found that Deer Oaks failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI that it held.

The terms of the resolution agreement required them to pay $225,000 and a 2-year CAP.

So the moral of the story? Treat BAAs like your nosy aunt’s holiday fruitcake: inspect thoroughly, slice with caution, and don’t just accept what’s handed to you. Ignoring those clauses can leave you paying for someone else’s mess—or worse, stuck explaining to regulators why your security “plan” was more of a polite shrug. And remember, a poorly worded agreement isn’t just a nuisance—it’s a neon-lit, breach-sized vulnerability waiting to explode.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.