Click here for a printer-friendly version.


For general contracting tips, see our older article.

  1. The final HIPAA/HITECH regulations required new business associate contracts by, at the latest, September 23, 2014. Read more here.  We’ve seen business associates request changes in the new contracts that go beyond updates required by the final regulations, for example:
    • Adding that they may de-identify protected health information (PHI)1 – respond by requesting indemnity for any harm resulting from their use or disclosure of the de-identified PHI.
    • Adding a limit of liability – respond by excepting government penalties resulting from, and the cost of providing notice of, the service provider’s breach of HIPAA. (HITECH increased penalty amounts significantly).
    • Adding that the business associate may sell PHI as permitted by HIPAA – many plans do not want business associates selling PHI in any circumstance, even if the sale would be permitted by HIPAA.
  2. Administrators and insurers are, in keeping up with the times, establishing health plan electronic applications that can be downloaded and used by covered individuals. While internet interface isn’t new, it seems with the addition of applications contracts are more likely to address liability related to this type of interactive system. With that in mind:
    • If the plan is purchasing an application to be downloaded by participants, ask the provider to fully indemnify the plan for third-party intellectual property claims (this would also be true for internet interface services used by participants).
    • If the plan is purchasing an application to be downloaded by participants, beware a “terms of use” (TOU) click that waives participant rights to privacy, limits the application provider’s responsibilities, or enables the provider to sell participant information. (To remedy this, provide that a TOU cannot waive the law and the provider indemnifies the plan for use or sale of personal information.)
  3. Require health plan administrators contract for and disclose any state taxes that are passed through to the plan but are not clearly assessable against the plan and plan assets, to avoid the type of prohibited transaction found by the Federal Court in Michigan.2
  4. For large plan administrators, require that they obtain internal controls audits—although expensive, they are becoming industry standard.
  5. When contracting (or modifying a contract) with a retirement plan covered service provider, require a current ERISA 408(b)(2) fee disclosure. Read more about ERISA 408(b)(2) disclosures here.

From all of us here at MMPL, your employee benefits law firm.

Not intended as legal advice.

  1. This is permitted by the final HIPAA/HITECH regulations. See 45 CFR § 164.514.
  2. Pipefitters Local 636 Insurance Fund v. Blue Cross and Blue Shield of Michigan, 722 F.3d 861 (6th Cir. 2013). State taxes take various forms, for example, the claims paid surcharges in Maine, Massachusetts, Michigan, New York and Vermont, and the child vaccination taxes in Idaho, Maine, Vermont, Massachusetts and Connecticut.