Form R.1: Data Privacy/Security Checklist 925
Total Page:16
File Type:pdf, Size:1020Kb
FORM R.1
Data Privacy/Security Checklist
THIS CHECKLIST IS TO BE USED ONLY AS A GUIDE WHEN ASSESSING THE ACCEPTABILITY OF CLIENT PROPOSED DATA PRIVACY AND SECURITY RELATED REQUIREMENTS AND RELATED CONTRACTUAL PROVISIONS. IT IS NOT INTENDED TO BE A COMPREHENSIVE LIST OF THE DATA PRI-VACY AND SECURITY ISSUES/RISKS ASSOCIATED WITH A PARTICULAR TRANSACTION. IT DOES NOT PROVIDE SUGGESTED LANGUAGE AROUND ALL PRIVACY AND SECURITY ISSUES IN DIFFERENT TYPES OF TRANSAC-TIONS. EACH CLIENT’S PRIVACY/SECURITY REQUIREMENTS SHOULD BE REVIEWED IN THE CONTEXT OF THE UNDERLYING TRANSACTION, CLIENT’S PARTICULAR INDUSTRY AND ANY CONTROLLING POLICIES/ AGREEMENTS. THIS CHECKLIST APPLIES TO U.S. COMMERCIAL DOMESTIC AGREEMENTS UNDER WHICH THE DATA IS U.S. DATA ONLY. IF DATA OF CITITZENS OF OTHER COUNTRIES IS BEING PROCESSED OR IF SERVICES ARE BEING PROVIDED INTERNATIONALLY, INTERNATIONAL COUNSEL NEEDS TO BE CONSULTED. CLIENT: ______CONTRACT: ______
I. Client Policies 1. Nature of the Policies Are Client’s policies static or fluid (i.e., set forth on a web-portal and subject to change)? If static, attach, or reference, if appropriate, the negotiated policy to the underlying agreement as an exhibit.
NOTE: For purposes of this checklist, specific contractual security/confidenti-ality/data privacy obligations in a contract should be considered in the same manner as policies.
If fluid, how is Licensor protected in the event of a change to the policy? Who on the Licensor project team is responsible for identifying ongoing changes made to the policy and ensuring compliance with such changes? Is Client obligated to notify Licensor of any changes to its policies after execution of the agreement? Who bears the additional cost, if any, of complying with the change in policies? What if the requirements are unreasonable or cost prohibitive?
153 154 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
NOTE: If at all possible, Licensor should not agree to comply with a policy posted to a Client’s web-portal due to the risk of Licensor failing to identify subsequent changes to the policy and the inability of Licensor to protect against the financial risk arising from future changes. If Licensor agrees to be bound by polices posted on Client’s web-portal, Client should have the obligation to notify Licensor when a change is made. Financial or other impacts of a policy change should ideally be addressed through the change order process. Licensor cannot bear the risk of future changes unless its pricing has contemplated such changes. If Client is unwilling to utilize a change order process, Licensor should have the right to reject any material change to Client’s policies that impacts Licensor’s cost or ability to comply, in which case Client may as its sole remedy terminate the Agreement (or applicable Statement of Work) upon reasonable advance notice to Licensor. Termination should be a “convenience” type of termination and be fee- burdened if a termination for convenience would otherwise be fee bearing.
For transactions with a total contract value of US$500,000 or more or a high level of risk, has Licensor’s project management team assigned a lead information risk manager (LIRM) or issued a comprehensive information security policy, operating procedures, and associated responsibility statements based on Licensor’s contractual obligations and Client’s policies? Who will fill the role of LIRM if the project cannot support a FTE in this role? These policies and procedures should be drafted upon execution of the Agreement by the project team and distributed internally to all members of the team. It should be noted that the process of generating these items may be billable internally and would have to be priced into the project at commencement to avoid dilution of anticipated margin.
2. Disclosure of Information Will Licensor (as opposed to Client using Licensor’s systems) share, transfer, or release any information to third parties? With whom, if anyone, is the information being shared, transferred, or released? This includes subsidiaries, partners, contractors, VARs, government investigatory agencies/bodies, etc. Will Client expect to be notified before any transfer? Will it be only under certain conditions? Will Licensor be required to document all such disclosures and produce such documentation to Client? What specific information, if any, is being shared, transferred, or released? What is the geographic location of these individuals and entities? What state specific or country specific laws apply, in particular, what state specific data breach notification requirements may there be? As to subpoenas from governmental entities or third parties in disputes with Client: What are Licensor’s contractual responsibilities once it receives a subpoena? Who bears the cost of complying with the subpoena should it be determined that information must be generated and turned over to an opposing party or investigating agency or other body? Are the limitations on disclosure of information broad enough to allow Licensor Form R.1: Data Privacy/Security Checklist 155 to disclose the information to those employees, contractors, auditors and subcontractors who need access to support the contract? Do those limitations on disclosure require that we have any particular contractual or other restrictions with those to whom access is provided? If so, who on the account team is responsible for ensuring that the restrictions have been complied with prior to disclosure? Is Licensor going to use employees and contractors outside of the United States on the project? If so, are there additional/special limits on Licensor disclosing information to Licensor employees and contractors working outside of the United States? What about non-U.S. citizens working in the U.S.; do they need to be identified? Client imposed limitations on Licensor’s ability to disclose confidential information to employees/contractors outside of the U.S. may prevent Licensor from efficiently performing the services, and may result in increased costs of the services. Has project management considered the export implications of moving such information offshore or the costs of being restricted from doing so?
NOTE: In most cases, Licensor cannot be limited as to how it allocates the work among different countries and it must retain the ability to allocate work in the most effective and cost-efficient manner possible. Licensor prefers not to condition its right to perform work outside the United States on Client’s prior consent, but can agree to notify Client in the event any work will be performed outside of the United States. In some transactions, Client may be in a bargaining position to impose limitations. If so, consent to a broad list of locations should be obtained as part of the initial contract.
3. Use of Information May Licensor use information and data derived from Client’s confidential information for Licensor’s own purposes, if Licensor removes all personally identifiable information?
NOTE: The right to use de-identified Client information may be very important for future data warehouse projects where Licensor seeks to create a “product.” It can also be very helpful for use as a “test bed of data” for future software development projects.
Model language: Notwithstanding any other provision of this Agreement, Licensor may utilize data capture and analysis tools, and other similar tools, to extract, compile, synthesize, analyze, and use any Blind Data. “Blind Data” means non-individually identifiable and non-client identifiable data or information created from Client’s data submitted for data processing. Blind Data excludes: 1) any specific Client identifiable information such as individual names and physical addresses; and 2) any specific Client information 156 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
related to a report, or any party to a report, such as name, gender, race, ethnicity, human resources identification number, social security or international identification number, E-Mail address, home address, and home phone number. To the extent that any Client Blind Data is collected or compiled by Licensor, such Blind Data shall be solely owned by Licensor without any restrictions whatsoever. Client acknowledges that Licensor’s ability to use and dispose of Blind Data is part of the consideration Client is paying to Licensor for the services and no fee or other consideration will be paid or owing to Client by Licensor for Licensor’s use and /or disposal of the Blind Data. ALTERNATIVE LANGUAGE: Below is language Licensor uses in contracts for systems financial services organizations host on Licensor servers. 7. DATA REPORTS 7.1 Composition of Data Reports. During the term of this Work Assignment, Client authorizes Licensor to collect data reports from Client relating to Client’s use of the Licensed System (“Data Reports”). The Data Reports shall not include information which would identify Client as the source of the Data Reports and shall not include any of the following data fields with respect to any individual claimant or insured, which data fields shall be overwritten or omitted in the Data Reports: Comments, Claim/Claimant Number and Format, Non-Medical Information, Claimant Name (or other details), Insured Name (or other details), Adjuster Name, History Log Data, Consultation History Data, or any other basic or customized claim information (except that Date of Loss, Date of Assessment, Age/Date of Birth, and Gender will be collected). 7.2 Title to Data Reports. Licensor shall be the sole owner of all rights and title in and to the Data Reports described herein and the Data Reports shall be considered to be Licensor Confidential Information pursuant to the terms of the Agreement.
8. Data Privacy Warranty, Representation, and Indemnity 8.1 Warranty and Representation. Client warrants and represents that provision of data to Licensor and Licensor’s use of the data to exercise its rights and perform its obligations under this Work Assignment and the Agreement (including but not limited to the provision by Licensor to Client of the Services described in this Work Assignment and creation of the Data Reports) will be in compliance with all applicable laws, including but not limited to, any application of the Health Insurance Portability and Accountability Act of 1996 and associated regulations, the Gramm-Leach-Bliley Act and associated regulations, the Federal Trade Commission Act, other consumer protection laws, and other laws governing the collection, use, maintenance and disclosure of personal information, and any applicable court order or Client contractual commitment. 8.2 Indemnity. Client agrees to defend, indemnify, and hold Licensor (and its affiliates) harmless from and against any claims, demands, and actions, and any liabilities, damages, or expenses resulting Form R.1: Data Privacy/Security Checklist 157
there from, including court costs and reasonable attorney fees, arising out of or relating to a breach or alleged breach of the warranty and representation in Section 8.1 of this Work Assignment. Client’s obligations under this Section shall survive the termination of this Work Assignment for any reason. Licensor agrees to give Client prompt notice of any such claim, demand, or action of which Licensor receives notice and shall, to the extent Licensor is not adversely affected, cooperate fully with Client in the defense and settlement thereof. 8.3 Exception to Indemnity. Client shall have no duty under Section 8.2 of this Work Assignment to indemnify Licensor against any claims arising out of or relating to Licensor’s material breach of Section _____ (Composition of Data Reports) of this Work Assignment.
4. Client Information Does Licensor have a plan to minimize the collection of Client data in order to comply with any contractual obligation to restrict access and use of the data solely for the purposes contemplated by the Agreement? Who is responsible for ensuring Licensor complies with Licensor’s contractual data related obligations? (e.g., the Project Manager or someone else?) Have these obligations been effectively communicated by Legal during the negotiation process to all members of the delivery and project management team and have limitations to access been built into the business process to ensure no inappropriate disclosure happens? Who is responsible for tracking all Client data throughout the lifecycle of the engagement so it can all be returned or destroyed at the end of the engagement? If Licensor is instructed by Client to destroy the data and also provide certification as to such destruction, who within Licensor will undertake the secure destruction and provide the actual Certificates of Destruction and who will pay for that service?
5. Stated Standards Why does Licensor need to comply with the stated standards? Is Licensor’s compliance required by law or simply desired by Client? If Licensor stores (on behalf of Client) certain data types, and there is a breach, government agencies may hold Licensor directly liable, so how does Licensor mitigate that risk? Does Licensor’s proposed approach to the performance of services meet/comply with the stated standard? If the standards are stated by reference to particular statutes are the requirements understood by the account team? Is there a procedure in place to monitor changes in the referenced standards? Are the stated standards static or fluid (e.g., set forth on a web site and subject to change)? If static, attach (or reference) the stated standard as an exhibit. If fluid, how is Licensor protected in the event of a change to the standard? Who bears the additional cost, if any, of complying with the change in the standard? 158 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
Will Licensor supplement the information received directly from Client with additional information received from third parties, or information received by mechanisms other than those to which Client has explicitly consented? If so, are there additional standards that need to be complied with relative to amendment of data, commingling of data, and storage of data?
NOTE: Responsibility for compliance resides with the project group, not Legal. Please make sure the project group understands this. NOTE: Do not assume that Licensor or a particular division within Licensor complies with a particular standard. You must confirm that the Licensor Division in question actually complies. If multiple Licensor Divisions will be providing services, you must confirm that EVERY Division complies. Contact NAME to determine which divisions of Licensor are compliant with a particular standard. Avoid agreeing to broad based statements of compliance that apply to all of Licensor. For example, some divisions of Licensor may be ISO 9000/1 compliant, while others may not be.
Standards to Which Licensor is Not Compliant Licensor is not a signatory to the ”Safe Harbor” privacy principles associated with the European Data Protection Directive (95/46/EC), although it is willing to state that it adheres to the Eight Principles of Data Protection (the “Principles”) as set forth in the Directive, but there must be an individual accountable to ensure such adherence.
NOTE: If required to comply with a particular standard, negotiated responses may include: (i) limiting the compliance obligation to a particular division within Licensor or to the individual transaction;(ii) challenging such obligation on the grounds that Licensor’s compliance is not legally required; or (iii) agreeing that Licensor will seek compliance provided Licensor’s costs are covered. The actual response will depend on the standard in question. For example, Licensor does not state that its products/services/systems are “HIPAA Compliant” but rather “HIPAA- Ready” under the belief that Licensor would be giving a legal opinion to state they are “HIPAA Compliant.” Either term is acceptable provided the stated definition of the term is appropriate. In complex service agreements, Licensor’s obligations may be limited to complying with specific requirements specified by Client as meeting its view on HIPAA compliance. For any questions regarding compliance speak to NAME.
6. Project Management Who within Licensor is responsible for the following aspects of compliance for the project or contract as a whole? Project Manager: ______Administrative Safeguards: ______Form R.1: Data Privacy/Security Checklist 159
Physical Safeguards: ______Technical Safeguards: ______Point of Contact for Security Issues: ______Point of Contact for Human Resource Issues: ______Point of Contact for Incident Notification & Escalation: ______Point of Contact for Issue Resolution and Communication: ______
7. Employee/Contractor Issues If applicable, who is responsible for developing an Acceptable Use Policy (AUP) for Licensor employees and contractors outlining the contractual obligations, as well as the consequences of misuse of Client data? If the project manager is not going to prepare an AUP, have they been apprised of the risk of not doing so? Who is responsible for ensuring no potential conflicts of interest exist? If required, have all employees and contractors executed written acknowledgements of their understanding and acceptance of Client’s information/security policies? If so, who is responsible for maintaining those records? Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to employees and non-Licensor individuals? (Most employees will have satisfied this requirement through the execution of a standard non-disclosure agreement that was part of their on- boarding process with Licensor.) Do employee/contractors understand their obligation to encrypt sensitive and confidential data? Whose obligations is it to ensure that employee/contractor is provided equipment that enables encryption of such data (whether on a desktop, laptop, USB drive, PDA, Blackberry, etc.)? Is the Licensor project manager and/or service delivery manager aware of any ongoing training requirements? Has he/she established ongoing training during the term of the Agreement to meet the contractual requirements? Has a process to document completion of such training been established and who is responsible for maintaining those records?
8. Licensor Obligations upon Termination of Agreement Do Client policies require that Licensor dispose Client data in a particular manner? Are these requirements consistent with Licensor policies? Is Licensor protected in the event of a dispute where Licensor might need the data to defend a claim with Client that may, or may not, be subject to a Litigation Hold/Preservation Order?
NOTE: Data conversion and storage can be very expensive. Licensor should 160 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
ensure that it has no obligation to store or convert Client data after the termination of the Agreement unless Licensor is compensated for doing so. If Licensor is obligated to return Client’s data and the data is expected to be voluminous, has Licensor included the cost to do so in its pricing? If not, Client should pay all costs associated with the return of such data. In the alternative, Licensor should have the contractual right to simply destroy such data, in which case Client should also be obligated to pay such destruction costs.
Model language: Upon termination of this Agreement for any reason, Licensor shall return or destroy all Confidential Information received from Client, or created or received by Licensor on behalf of Client. In the event that Licensor determines in its reasonable discretion that returning or destroying the Confidential Information is not feasible, Licensor shall notify Client of the conditions that make return or destruction infeasible and shall extend the protections of this Agreement to such Confidential Information and limit further uses and disclosures of such Confidential Information to those purposes that make the return or destruction infeasible, for so long as Licensor maintains such Confidential Information. Form R.1: Data Privacy/Security Checklist 161
II. Related Contractual Provisions 1. Contractors/Subcontractors/Vendors (collectively subcontractors) Is Licensor required to flow down any standards, policies, or contractual terms to its subcontractors? Who is responsible for ensuring their compliance? Have all applicable provisions been flowed down to Licensor’s subcontractors? How is Licensor protected in the event its contractors/subcontractors fail to comply? Has Licensor obtained an indemnity from its contractors/subcontractors for their failure to comply?
2. Changes in the Law Who bears the risk of changes in the law? Who is responsible for tracking changes in the law? Has Licensor priced the financial risk of complying with any changes into its pricing? What ability does Licensor have to protect itself in the event of increased costs due to changes in the law?
NOTE: Licensor should only agree to comply with all laws in existence at the time the contract is executed. Licensor should not agree to comply with all laws as they exist throughout the duration of the contract. Changes in the law should be addressed through the change order process. Client should not be able to transfer the risk of a change in the law to Licensor as this risk originally resided with Client and there is no reason it should flow to Licensor solely because Licensor is providing services to Client. ALTERNATIVE POSITION: If the change in law impacts Licensor in its capacity generally as an IT services vendor (e.g., proposed changes to HIPAA to apply directly to Business Associates), then Licensor should bear the risk of its compliance. However, if the change in law impacts Licensor because of a particular service it is providing on behalf of Client and the change is specific to that service (e.g., Medicare Part D claims processing), then Client should bear the risk. Licensor can agree to comply with all laws brought to its attention by Client provided Licensor is compensated for any additional cost associated with Licensor’s compliance and the change is implemented through the contract’s change control provisions. Licensor lacks the ability to track all potentially applicable laws throughout the United States and the world. Client is in a better position to do so through its knowledge of its industry and its membership in industry organizations. (While this position may not be valid in an outsourcing transaction, it is more tenable in systems integration/services agreements.) 162 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
Model language: Licensor will comply with the following state privacy laws [OPTION: as directed by Client] but only to the extent such laws are applicable to the Services and to the extent Client was in compliance with such laws at the time Licensor commenced providing services: [SPECIFY STATE STATUTES].
Client shall monitor and promptly identify and notify Licensor of all changes in Applicable Laws occurring on or after the Effective Date and all non-compliance existing as of the date Licensor commences services (collectively “Legal Changes”). Client and Licensor will work together to identify the effects of Legal Changes on the provision or receipt of the Services. With respect to Legal Changes, the parties will discuss, in a timely manner, what modifications to the Services, if any, are necessary to comply with such Legal Changes. Licensor shall promptly thereafter propose any amendments or change orders to the Agreement associated with such Legal Changes. Upon Client’s consent, Licensor shall implement the changes to the Services in a timely manner.
3. Indemnification In general, indemnification for breach of laws should be confined to laws (including data privacy laws) that are actual laws or regulations, which have the force of law. This often involves revisiting the definition of laws in the Agreement. Indemnification should be only for those losses asserted by third parties who are not affiliates (with “affiliates” or “unaffiliated” being a defined term). Indemnities for breach of confidentiality/security should be addressed to Licensor’s obligations under the Agreement, which should consist of a set of discrete known tasks and policies. Attorney’s fees and costs of litigation should be covered only in the event of a wrongful refusal to accept a tender of indemnity. Cross-indemnities for breach of laws should be obtained. The extent to which indemnities are excluded from any limitation of liability needs to be addressed on a case-by-case basis.
NOTE: Licensor’s contracting guidelines provide that Licensor may indemnify against claims related to breaches of confidentiality or security obligations, use of client supplied materials in a noncompliant way, claims (including fines and penalties) related to failure to comply with its obligations related to laws, and claims related to breach of its obligations with respect to client data subject to security and confidentiality obligations. Licensor should attempt to reject any demand by Client for indemnification on the premise that Client’s remedy lies in a claim for breach of contract (damages). No statute requires a vendor to indemnify a client. Many clients will argue that an indemnity is industry standard. If Licensor must give an indemnity, the indemnity should be narrowly drawn to limit Licensor’s risk and apply only to unaffiliated third party claims. Licensor should not Form R.1: Data Privacy/Security Checklist 163
indemnify Client for breach of a policy or breach of the Agreement. The indemnity set forth below requires that the indemnified claim be both a violation of the applicable law and a material breach of the Agreement. In addition, it excludes third party claims arising from instructions received from Client. Licensor should seek to make any indemnity mutual.
Model language: Licensor agrees to indemnify, defend and hold harmless Client against all actual direct losses suffered by Client as a result of unaffiliated third party claims arising directly from the use or disclosure of Confidential Information by Licensor or its agents which is both in violation of the [Applicable Laws] and in material breach of this Agreement. Said responsibility adheres only to violations solely attributable to the actions/inactions of Licensor and/or its agents and not to actions/inactions taken or not taken at the request of Client or to actions/inactions of Licensor that are permitted under the [Applicable Laws] and/or this Agreement.
Client agrees to indemnify, defend and hold harmless Licensor against all actual direct losses suffered by Licensor as a result of unaffiliated third party claims arising from any action or inaction of Licensor taken or not taken by Licensor at the request of Client or to actions/inactions of Licensor that are permitted under the [Applicable Laws] and/or this Agreement.
NOTE: “unaffiliated” needs to be a defined term.
4. Representations and Warranties
NOTE: Licensor should not represent or warrant compliance with any particular law, standard or policy. Instead, Licensor should agree (covenant) that it will comply with the applicable policy or law in existence at the time of the Agreement’s execution. Licensor cannot commit to comply with future policies or law without financial and operational protections. As a matter of course, Licensor will sign up to a warranty/covenant that it is in and will remain in compliance in all material respects with all applicable laws that apply to Licensor as a provider of IT services. Licensor is responsible for complying with existing laws and future changes to laws applicable to it as a provider of IT services. Client is responsible for all other existing laws and future changes to laws.
5. Limitation of Liability 164 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
If Client’s policies are contained in a freestanding document, does that document contain a limitation of liability? Confirm that the over-arching Agreement’s limitations of liability limit Licensor’s liability for breach of the policy or that the policy contains its own limitation of liability. If Client’s policies are an attachment to the underlying Agreement, is the Agreement clear that breaches of those policies are subject to the Agreement’s limitations of liability? In general, Licensor seeks to limit its responsibility to breach of specific policies and contractually specified tasks as well as its contractual obligation to comply with laws (which may be narrower than laws generally). This is different than a “reasonable standard of care” which may be acceptable for confidential information that is not client data submitted for processing. Licensor also seeks to have the limitation of liability apply to these obligations, at least as to those matters that are operational in nature; e.g., a firewall server down should be treated as any other server down. Deviations from current Licensor norms around risk allocation should be escalated to NAME if he is available. An exception to a limitation of liability for failure to comply with laws should be addressed through the approval process. It is preferable to limit this exception to discrete activities such as the giving of any required legal notice, the payment of fines or penalties, and the like.
NOTE: Any carve-out from the Agreement’s limitation of liability should be narrowly drafted such that the exclusion applies only to breach of Licensor’s confidentiality obligations and not to a breach of the applicable policy. This carve-out should be mutual so that Client also has unlimited liability for any breach by it of its confidentiality obligations relative to Licensor Confidential Information.
6. Right to Cure Does the policy provide Licensor with the right to cure or may Client immediately terminate the underlying Agreement in the event of an alleged breach by Licensor? Does the policy set forth a notice and escalation process?
NOTE: Licensor must have a specified way to cure any alleged breach. Client should provide Licensor written notice describing the breach in detail. Occasionally, Client will point out that it is not possible to cure a security breach if the data is not fully recovered and knowledge of it has not spread outside Licensor and Client. Thus, it may not be practical in all instances for Licensor have a cure period.
The government’s own Business Associate Agreement (“BAA”) template recognizes a Business Associate’s right of cure: Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered Entity shall either: Form R.1: Data Privacy/Security Checklist 165
1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement [and the ______Agreement/ sections ____ of the ______Agreement] if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
2. Immediately terminate this Agreement [and the ______Agreement/ sections ____ of the ______Agreement] if Business Associate has breached a material term of this Agreement and cure is not possible; or
3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov. html. See also 45 CFR 314(a)(1)(i)(B). From the OCR Privacy Guidance: “ Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).” 45 C.F.R. §§ 164.502(e), 164.504(e), 164.532(d) and (e).
7. Mitigation Is Licensor obligated to mitigate any breach of a policy? What is the extent of Licensor’s obligation to mitigate its breach? Licensor should not assume a broad obligation to mitigate any breach to Client’s satisfaction. Licensor should do only what is reasonable and leave it to Client to pursue damages if Client believes more is warranted.
NOTE: Clients increasingly seek to impose a mitigation obligation on Licensor to mitigate any deleterious effects from improper disclosure of confidential information. The scope of the mitigation obligation is often undefined, but could include detailed notices to a very large pool, call-in hotlines and, in the case of Gramm-Leach-Bliley data obligations, credit watch services. Mitigation of the harmful effects is a requirement under HIPAA, but the rules do not define what actions must be taken or the scope of mitigation. The issue is one of conceding contractual language that could obligate Licensor to incur expenses in excess of what would otherwise be required to comply with law, based on the demands of Client. The language below obligates Licensor to use “reasonable efforts” to limit “additional losses” but expressly disclaims any obligations that would result in Licensor incurring a material financial expense.
Model language: 166 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
Licensor agrees to mitigate, to the extent practicable, any harmful effect that is actually known to Licensor of a Security Incident, caused by Licensor or its subcontractor(s) arising from its provision of the Services. Licensor’s obligation to mitigate shall consist of reasonable efforts to limit additional losses after a Security Incident has occurred. Licensor shall not be required to undertake any actions which cause Licensor to incur a material financial expense.
[OPTIONAL: For purposes of this Agreement, a material financial expense shall mean an expense which will cost in total an amount which is equal to or exceeds five percent (5%) of the fees under the Agreement associated with the provision of Covered Services in the immediately preceding three (3) months.]
8. Viruses Is Licensor representing, warranting or covenanting that it will not introduce any viruses into Client’s systems?
NOTE: Licensor should only agree to apply commercially reasonable virus detection software to any software delivered to Client and to use its good faith efforts to remediate any problems caused by a virus introduced by Licensor. To avoid a dispute as to what is “reasonable,” you should identify the particular software Licensor will use. Licensor should insist that the negotiated Agreement contain a reciprocal provision from Client. Outside of blocking downloads from certain web sites, Licensor cannot guarantee that a virus will not be introduced into Client’s system. Virus detection software is only reactive, not proactive. Alternatively, Licensor should seek to limit its obligations to a covenant that Licensor will not “knowingly and intentionally” introduce a virus.
9. Third Party Beneficiaries The Agreement/policies should specifically exclude any third party beneficiaries to limit any potential third party claims against Licensor. HIPAA, for example, does not provide a private cause of action to the owner of Protected Health Information (“PHI”) against a Business Associate who violates the terms of HIPAA or a Business Associate Agreement. Model language: Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties and the respective successors and assigns of the parties, any rights, remedies, obligations or liabilities whatsoever. There are no third party beneficiaries. [OPTIONAL – Licensor might want to state that there are no third party beneficiaries other than as specified in the indemnification provisions.] Form R.1: Data Privacy/Security Checklist 167
10. Notices Due to the inability to confirm actual receipt by the intended recipient, Licensor should not agree to the provision of formal notices via E-Mail or facsimile. The preferred means of delivery is certified mail, return receipt requested or overnight courier. Notices should be sent to legal counsel for the group/entity entering into the Agreement, with a copy to a business team member or the applicable member of the contracts department. All notices should be effective upon receipt.
11. Unilateral Amendment of Underlying Agreement by Client Is Client allowed to unilaterally amend the Agreement for changes in the law or in the event Client believes a change is necessary to clarify an ambiguity or ensure compliance with an applicable law? How is Licensor protected from increased costs or other obligations? Will any negative impact be addressed through the change order process?
NOTE: Licensor should not agree to allow unilateral change, except when absolutely insisted upon by Client and then only if subject to reasonable advance notice and Client’s binding commitment to financially compensate Licensor for any negative impact, and the other terms, such as timing of implementation, are satisfactory to Licensor. In the alternative, Licensor should be allowed to reject any unilaterally proposed amendment, whereupon Client may terminate the Agreement.
III.Audits, Etc. 1. Security Audits What types of security audits are required by Client (i.e., SAS 70 Type I, SAS 70 Type II)? Is Licensor already performing this type of audit for the data center in question?
NOTE: If not, the requirements for any such audit will have to be separately coordinated in advance with Licensor’s Corporate Internal Audit Department, and Client should be made to pay for the audit. Additionally, the results of that audit should be restricted to an executive summary specific to Client, if possible.
Who is entitled to review the results?
NOTE: Any disclosure of the audit results should be limited and treated as confidential information. Client should not be permitted to disclose the 168 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
results to any third party outside of its auditors and possibly its “advisors.” Licensor should specifically require any third party to execute a Non- Disclosure Agreement with Licensor prior to receiving a copy of the results and exclude Licensor competitors from receiving a copy.
Does a security breach trigger a right to audit with respect to security protocols? If the breach occurred because of an employee act, is Client entitled to access the employee’s laptop or records to investigate without Licensor’s consent?
2. Books and Records Are the audit provisions overly broad (e.g., potentially extending to information regarding other clients, internal memos, or privileged/personal information)? Do they extend beyond books and records to include facility audits, and audits of practices and procedures? Is the audit triggered by a Licensor breach or at the demand of Client? How will “breach” be defined? How often may Client demand an audit and who should pay? Is the audit subject to appropriate controls?
NOTE: Client should be required to provide at least seven (7) days’ prior written notice of its desire to audit Licensor’s books and records to allow Licensor the time necessary to collect and make available for review the relevant records. Client’s audit rights should be clearly stated and limited. Further, the audit should occur at the Licensor office where the books and records are stored during normal business hours, and subject to all applicable confidentiality and Licensor security controls. The length of the audit should be limited to a set period of time to limit disruption to Licensor’s business operations. Licensor should be concerned as to the possibility that an audit of a facility or systems could expose other client data, personal data of employees and/or deficiencies in Licensor’s compliance.
Model language: Licensor agrees to make those internal practices, books, and records specifically relating to the use and disclosure of Confidential Information received from, or created or received by Licensor on behalf of Client available to Client, or at the request of Client to [third party auditor], in a reasonable time and manner agreed to by Client and Licensor, for the purpose of [Insert limited purpose]. Such books and records shall exclude any legally privileged information, as well as non- relevant personal data or Confidential Information of other Licensor clients.
IV.Miscellaneous 1. Background Checks/Drug Tests Form R.1: Data Privacy/Security Checklist 169
Is the obligation to conduct background checks and drug tests limited to those employees who enter Client sites and/or access Client systems or does it apply to any Licensor employee, subcontractor or vendor who comes in contact with Client confidential information? Are there any specific requirements for conducting background checks and drug tests on Licensor employees, subcontractors or vendors? Has Licensor’s Human Resources Department been notified to determine if these requirements go beyond the tests already conducted by Licensor? Do the background checks and drug tests apply to subcontractor personnel, and if so, have parallel requirements been incorporated in the subcontractor agreement? How often must the drug test be given, and who is responsible for paying for them and maintaining records about them? Who is responsible for ensuring Licensor’s compliance including ensuring all subcontractors and vendors have all applicable requirements flowed down and audited?
NOTE: You need to determine the scope of checks and tests undertaken by Licensor at the time of the employee’s hiring, and if those results will satisfy the requirements of the contract. Who is the contact person for ensuring compliance? NOTE: All background checks for Licensor employees should be discussed with the applicable HR manager assigned to that group. The contract should be very clear about which Licensor employees this requirement will apply to – for example, if Licensor hosts Client data on its own servers – will Client require anyone with access to those servers to have a background check and drug test? If so, this may be a broader spectrum of Licensor employees than merely those going to Client site. The costs associated with such checks and tests should be considered when pricing the deal.
2. Project Budget Does the pricing model include the cost of specific security requirements required by Client and offered by Licensor as separately chargeable services? Does the project budget contain a set-aside for the potential cost of complying with ongoing data related requirements, including potential incident response?
3. Training Requirements Does the Agreement require any continuous training (e.g., HIPAA, Gramm Leach Bliley, etc.) during the term of the Agreement? Has the project manager established ongoing training during the term of the Agreement to meet contractual requirements, and who will maintain records regarding such training?
4. Internal Licensor Resources 170 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
If you require additional information, the following Licensor resources may be helpful: CHAPTER 23, FORM 23.L.2
Business Associate Agreement/HIPAA Checklist
THIS CHECKLIST IS TO BE USED ONLY AS A GUIDE WHEN ASSESSING THE ACCEPTABILITY OF CLIENT PROPOSED HIPAA/BAA RELATED RE- QUIREMENTS AND RELATED CONTRACTUAL PROVISIONS. IT IS NOT INTENDED TO BE A COMPREHENSIVE LIST OF THE HIPAA/BAA ISSUES/ RISKS ASSOCIATED WITH A PARTICULAR TRANSACTION. EACH CLIENT’S HIPAA/BAA REQUIREMENTS SHOULD BE REVIEWED IN THE CONTEXT OF THE UNDERLYING TRANSACTION AND ANY CONTROLLING POLICIES/ AGREEMENTS. THIS CHECKLIST APPLIES TO U.S. COMMERCIAL DOMESTIC AGREE-MENTS UNDER WHICH THE PHI IS U.S. PHI ONLY. IF DATA OF CITIZENS OF OTHER COUNTRIES IS BEING PROCESSED OR IF SERVICES ARE BEING PROVIDED INTERNATIONALLY, INTERNATIONAL COUNSEL NEEDS TO BE CONSULTED. CLIENT: ______CONTRACT: ______
I. Client Policies 1. Nature of the Policies Are Client’s policies static or fluid (i.e., set forth on a web site and subject to change)? If static, attach the negotiated policy to the underlying Agreement as an exhibit.
NOTE: For purposes of this Checklist, specific contractual HIPAA-related obligations in an Agreement should be considered in the same manner as Client policies.
If fluid, how is Licensor protected in the event of a change to policy? Who on the Licensor project team is responsible for identifying ongoing changes made to policy and ensuring compliance with such changes? Is Client obligated to notify Licensor of any changes to its policies after execution of the Agreement? Who bears the additional cost, if any, of complying with the change in policies?
171 172 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
NOTE: If at all possible, Licensor should not agree to comply with a policy posted to a Client’s web-portal due to the risk of Licensor failing to identify subsequent changes to the policy and the inability of Licensor to protect against the financial risk arising from future changes. If Licensor agrees to be bound by polices posted on Client’s web-portal, Client should have the obligation to notify Licensor in advance when a change is made. Financial or other impacts of a policy change should ideally be addressed through the change order process. Licensor cannot bear the risk of future changes unless its pricing has contemplated such changes. Changes that will result in a material change in processes or operations or result in an increased financial burden or legal exposure should be negotiated by Client and Licensor as part of the change order process. If Client is unwilling to utilize a change order process, Licensor should have the right to terminate the Agreement in the event of a material change.
Any obligations imposed on Licensor based on client policy versus the law should be closely scrutinized and approved by the appropriate Licensor security personnel to determine whether Licensor can comply. For transactions with a TCV of US$500,000 or with a high level of risk, has Licensor’s project management team issued a comprehensive information security policy, operating procedures, and associated responsibility statements based on Client’s policies?
2. Disclosure of PHI Will Licensor share, transfer, or release any PHI to third parties? With whom, if anyone, is the PHI being shared, transferred, or released? This includes subsidiaries, partners, contractors, etc. What specific PHI, if any, is being shared, transferred, or released and under what authority? What is the geographic location of these individuals and entities? What state specific law may apply, in particular, what state specific data breach notification requirements may there be? Are the limitations on disclosure of PHI broad enough to allow Licensor to disclose the PHI to those employees, contractors, auditors and subcontractors who need access to support the contract? Do those limitations on disclosure require that we have any particular contractual or other restrictions with those to whom access is provided? If so, who on the account team is responsible for ensuring that the restrictions have been complied with prior to disclosure? Is Licensor going to use employees and contractors outside of the United States on the project? If so, are there limits on Licensor disclosing PHI to Licensor employees and contractors working outside of the United States? Client imposed limitations on Licensor’s ability to disclose confidential information to employees/contractors outside of the US may prevent Licensor from efficiently performing the Services, and may result in increased costs of the Services. Has project management considered the export implications of moving such information offshore or the costs of being restricted from doing so?
NOTE: In most cases, Licensor cannot agree to limit how it allocates the Chapter 23, Form 23.L.2: Business Associate Agreement/HIPAA Checklist 173
work among different countries and must retain the ability to allocate work in the most efficient manner possible. Licensor prefers not to condition its right to perform work outside the United States on Client’s prior consent, but can agree to notify Client in the event any work will be performed outside of the United States. In some transactions, Client may be in a bargaining position to impose limitations. If so, consent to the broadest range of Licensor locations around the world which is practical should be obtained as part of the initial contract.
3. Use of Information May Licensor use information and data derived from the PHI for Licensor’s own purposes, if Licensor removes all personally identifiable information?
NOTE: The right to use de-identified PHI may be very important for healthcare projects and data warehouse projects where Licensor seeks to create a “product.” The ability to use this data in any fashion will usually not be granted in a major outsourcing transaction.
Model language: Notwithstanding any other provision of this Agreement. Licensor may utilize data capture and analysis tools, and other similar tools, to extract, compile, synthesize, analyze, and use any Blind Data. “Blind Data” means non-individually identifiable and non-client identifiable data or information created from Client’s data submitted for data processing. Blind Data excludes: 1) any specific Client identifiable information such as individual names and physical addresses; and 2) any specific Client information related to a report, or any party to a report, such as name, gender, race, ethnicity, human resources identification number, social security or international identification number, E-Mail address, home address, and home phone number. To the extent that any Client Blind Data is collected or compiled by Licensor, such Blind Data shall be solely owned by Licensor without any restrictions whatsoever. Client acknowledges that Licensor’s ability to use and dispose of Blind Data is part of the consideration Client is paying to Licensor for the services and no fee or other consideration will be paid or owing to Client by Licensor for Licensor’s use and/or disposal of the Blind Data.
4. Protected Health Information (“PHI”) Does Licensor have a plan to minimize the collection of PHI in order to comply with any obligation to restrict access and use of PHI solely for the purposes contemplated by the Agreement and thereby eliminate any unnecessary risk of exposure/liability? Who is responsible for tracking all PHI throughout the lifecycle of the engagement so it can all be returned or destroyed at the end of the engagement? If Licensor is 174 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition instructed by Client to destroy the PHI and also provide certification as to such destruction, who within Licensor will undertake the secure destruction and provide the actual Certificates of Destruction and who will pay for that service? Who is responsible for ensuring Licensor complies with Licensor’s contractual data related obligations, e.g., the Project Manager or someone else? Have these obligations been effectively communicated by Legal during the negotiation process to all members of the delivery and project management team and have limitations to access been built into the business process to ensure no inappropriate disclosure happens?
5. Stated Standards Why does Licensor need to comply with the stated standards? Is Licensor’s compliance required by law or simply desired by Client? If Licensor stores (on behalf of Client) PHI, and there is a breach, government agencies may hold Licensor directly liable, so how does Licensor mitigate that risk? Does Licensor meet/comply with the stated standard? Does the relevant division meet/comply with the stated standard? If the standards are stated by reference to particular statutes, are the requirements fully understood and communicated? Is there a procedure in place to monitor changes in the referenced laws and who is responsible for such monitoring? Are the stated standards static or fluid (e.g., set forth on a website and subject to change)? If static, attach (or reference) the stated standard as an exhibit. If fluid, how is Licensor protected in the event of a change to the standard? Who bears the additional cost, if any, of complying with the change in the standard?
NOTE: Responsibility for compliance resides with the project group, not Legal. Please make sure the project group understands this. NOTE: Do not assume that Licensor or a particular Division within Licensor complies with a particular standard. You must confirm that the Division in question actually complies. If multiple Licensor Divisions will be providing services, you must confirm that EVERY Division complies. Avoid agreeing to broad based statements of compliance that apply to all of Licensor. For example, some Divisions of Licensor may be ISO 9000/1 compliant while others may not be. NOTE: Licensor should not represent or warrant compliance with HIPAA or a Client policy. Instead, Licensor should agree (covenant) that it will comply with the applicable policy or HIPAA in existence at the time of the Agreement’s execution. Licensor cannot commit to comply with future policies or law without financial protection.
Will Licensor supplement the information received directly from Client with additional PHI received from third parties, or information received by mechanisms other than those to which Client has explicitly consented? If so, are there additional Chapter 23, Form 23.L.2: Business Associate Agreement/HIPAA Checklist 175
standards that need to be complied with relative to amendment of data, commingling of data, and/or storage of data?
6. Project Management Who within Licensor is responsible for the following aspects of compliance for the project? Project Manager: ______Administrative Safeguards: ______Physical Safeguards: ______Technical Safeguards: ______Point of Contact for Security Issues: ______Point of Contact for Human Resource Issues: ______Point of Contact for Incident Notification & Escalation: ______Point of Contact for Issue Resolution and Communication: ______
7. Employee/Contractor Issues If applicable, who is responsible for developing an Acceptable Use Policy (AUP) for Licensor employees and contractors outlining the contractual obligations, as well as the consequences of misuse of PHI? If the Project Manager is not going to prepare an AUP, have they been apprised of the risk of not doing so? Who is responsible for ensuring no potential conflicts of interest exist? Have all employees and contractors executed written acknowledgements of their understanding and acceptance of Client’s Business Associate Agreement (“BAA”) or information/security policies? Has the execution of properly signed confidentiality agreements been verified before PHI is disclosed, in any form, to employees and non-Licensor individuals? (Most employees will have satisfied this requirement through the execution of a standard non-disclosure agreement that was part of their on-boarding process with Licensor.) Do employee/contractors understand their obligation to encrypt PHI? Whose obligations is it to ensure that employee/contractor is provided equipment that enables encryption of PHI (whether on a desktop, laptop, USB drive, PDA, Blackberry, etc.)? Is the Licensor project manager aware of any ongoing training requirements? Has he/she established ongoing training during the term of the Agreement to meet the contractual requirements? Has a process to document completion of such training been established and who is responsible for maintaining those records? 176 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
Have all Licensor employees received HIPAA compliance training prior to receiving PHI? Has a process to document completion of such training been established and who is responsible for maintaining those records?
8. Licensor Obligations upon Termination of Agreement Do Client policies require that Licensor dispose of PHI in a particular manner? Are these requirements consistent with Licensor policies and if not, who will pay for the added costs of secure destruction?
NOTE: Data conversion and storage can be very expensive. Licensor should ensure that it has no obligation to store or convert Client data/PHI after the termination of the Agreement unless Licensor is compensated to do so. If Licensor is obligated to return Client’s PHI and that PHI is expected to be voluminous, Client should pay all costs associated with the return of such PHI. In the alternative, Licensor should have the contractual right to simply destroy such PHI in which case Client should also be obligated to pay such destruction costs.
Model language: Upon termination of this Agreement for any reason, Licensor shall return or destroy all Confidential Information/PHI received from Client, or created or received by Licensor on behalf of Client. In the event that Licensor determines in its reasonable discretion that returning or destroying the Confidential Information/PHI is not feasible, Licensor shall notify Client of the conditions that make return or destruction infeasible and shall extend the protections of this Agreement to such Confidential Information/PHI and limit further uses and disclosures of such Confidential Information/PHI to those purposes that make the return or destruction infeasible, for so long as Licensor maintains such Confidential Information/PHI.
II. Related Contractual Provisions 1. Contractors/Subcontractors/Vendors Is Licensor required to flow down all standards, policies, or contractual terms to its contractors, subcontractors and vendors? Who is responsible for ensuring their compliance? Have all applicable provisions been flowed down to Licensor’s contractors, subcontractors and vendors? How is Licensor protected in the event its contractors/subcontractors/vendors fail to comply? Has Licensor obtained an indemnity from its contractors/subcontractors/ vendors for their failure to comply?
2. Changes in the Law Chapter 23, Form 23.L.2: Business Associate Agreement/HIPAA Checklist 177
Who bears the risk of changes in the law/HIPAA? Who is responsible for tracking changes in the law/HIPAA? Has Licensor priced the financial risk of complying with any changes into its pricing? What ability does Licensor have to protect itself in the event of increased costs due to changes in the law?
NOTE: Licensor should only agree to comply with all laws in existence at the time the contract is executed. Licensor should agree to comply with all laws as they exist throughout the duration of the contract. Changes in the law should be addressed through the change order process. Client should not be able to transfer the risk of a change in the law to Licensor as this risk originally resided with Client and there is no reason it should flow to Licensor solely because Licensor is providing services to Client. ALTERNATIVE POSITION: If the change in law impacts Licensor in its capacity generally as an IT services vendor (e.g., changes to apply HIPAA provisions directly to BAs), then Licensor should bear the risk of its compliance. However, if the change in law impacts Licensor because of a particular service it is providing on behalf of Client and the change is specific to that service (e.g., Medicare Part D claims processing), then Client should bear the risk. Licensor can agree to comply with all laws brought to its attention by Client provided Licensor is compensated for any additional cost associated with Licensor’s compliance. Licensor lacks the ability to track all potentially applicable laws throughout the United States and the world. Client is in a better position to do so through its knowledge of its industry and its membership in industry organizations.
Model language: Licensor will comply with the following state privacy laws [OPTION: as directed by Client] but only to the extent such laws are applicable to the Services and to the extent Client was in compliance with such laws at the time Licensor commenced providing services: [SPECIFY STATE STATUTES].
Client shall monitor and promptly identify and notify Licensor of all changes in Applicable Laws occurring on or after the Effective Date and all noncompliance existing as of the date Licensor commences services (collectively “Legal Changes”). Client and Licensor will work together to identify the effects of Legal Changes on the provision or receipt of the Services. With respect to Legal Changes, the parties will discuss, in a timely manner, what modifications to the Services, if any, are necessary to comply with such Legal Changes. Licensor shall promptly thereafter propose any amendments or change orders to the Agreement associated with such Legal Changes including applicable charges necessary to implement such Legal Changes. Upon the parties’ agreement to the relevant amendment or change order, Licensor shall 178 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
implement the changes to the Services in a timely manner.
3. Indemnification Is the indemnification narrowly tailored to those liabilities arising directly from Licensor’s breach of a limited aspect of the policy versus a broadly worded indemnity related to the breach of the policy or the Agreement? Is Licensor indemnified by Client for liabilities claimed by third parties arising from Client’s breach of the law or Client’s policies?
NOTE: Licensor should attempt to reject any demand by Client for indemnification on the premise that Client’s remedy lies in a claim for breach of contract (damages). HIPAA does not require a vendor to indemnify a Client. Many Clients will argue that an indemnity is industry standard. If Licensor must give an indemnity, the indemnity should be narrowly drawn to cover third party claims arising from violations of the Agreement and the law. Licensor should not indemnify Client for breach of a policy or breach of the Agreement alone. The indemnity set forth below requires that the indemnified claim be both a violation of the Applicable Law and a material breach of the Agreement. In addition, it excludes third party claims arising from instructions received from Client. Licensor should seek to make any indemnity mutual. Indemnification should be only for those losses asserted by third parties who are not affiliates (with “affiliates” or “unaffiliated” being a defined term. Attorney’s fees and costs of litigation should be covered only in the event of a wrongful refusal to accept a tender of indemnity. Cross- indemnities for breach of laws should be obtained. The extent to which indemnities are excluded from any limitation of liability needs to be addressed on a case-by-case basis.
Model language: Licensor agrees to indemnify, defend and hold harmless Client against all actual direct losses claimed by unaffiliated third parties arising directly from the use or disclosure of PHI by Licensor or its agents which is both an express violation of the [Applicable Laws] and a material breach of this Agreement (“Licensor Indemnified Claim”). Said responsibility adheres only to violations solely attributable to the actions/inactions of Licensor and/or its agents. The foregoing indemnity will not cover any third party claims arising from any action or inaction of Licensor taken or not taken by Licensor at the request of Client or to action or inactions of Licensor that are permitted under [Applicable Laws] and/or this Agreement. For the avoidance of doubt, a Licensor Indemnified Claim may not be asserted under any other indemnity provided by Licensor to Client.
Client agrees to indemnify, defend and hold harmless Licensor Chapter 23, Form 23.L.2: Business Associate Agreement/HIPAA Checklist 179
against all actual direct losses claimed by an unaffiliated third party arising from any action or inaction of Licensor taken or not taken by Licensor at the request of Client or to actions/inactions of Licensor that are permitted under the [Applicable Laws] and/or this Agreement.
NOTE: “Unaffiliated” needs to be a defined term.
4. Reliance on Instructions To the extent not otherwise addressed, Licensor should attempt to include a provision specifying Licensor is entitled to rely on Client’s instructions. Model language: In performing its obligations under this BAA, Licensor will be entitled to rely upon any instructions, authorizations, approvals, or other information provided to Licensor by Client. Licensor will incur no liability or responsibility of any kind in relying on or complying with any such instructions or information.
5. Representations and Warranties
NOTE: Licensor should not represent or warrant compliance with HIPAA or a Client policy. Instead, Licensor should agree (covenant) that it will comply with the applicable policy or HIPAA in existence at the time of the Agreement’s execution. Licensor cannot commit to comply with future policies or law without financial protection.
6. Limitation of Liability If Client’s policies are contained in a free-standing document, does that document contain a limitation of liability? Confirm that the over-arching Agreement’s limitation of liability limits Licensor’s liability for breach of the policy or that the policy contains its own limitation of liability. If Client’s policies are an attachment to the underlying Agreement, does the Agreement/policies clearly state that the policies are subject to the Agreement’s limitation of liability? Is a breach of Client’s policies carved out from the Agreement’s limitation of liability? An exception to a limitation of liability for failure to comply with laws should be addressed through the approval process. It is preferable to limit this 180 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition exception to discrete activities such as the giving of any required legal notice, the payment of fines or penalties, etc.
NOTE: Any carve-out from the Agreement’s limitation of liability should be narrowly drafted such that the exclusion applies only to breach of Licensor’s confidentiality obligations and not to a breach of the applicable policy. This carve-out should be mutual so that Client also has unlimited liability for any breach by it of its confidentiality obligations relative to Licensor’s Confidential Information.
7. Right to Cure Does the policy provide Licensor with the right to cure or may Client immediately terminate the underlying Agreement in the event of an alleged breach by Licensor? Does the policy set forth a notice and escalation process?
NOTE: Licensor must have a thirty (30) day period to cure any alleged breach. Client should provide Licensor written notice describing the breach in detail. Even the government’s own Business Associate Agreement (“BAA”) template recognizes a Business Associate’s right of cure. Occasionally, Client will point out that it is not possible to cure a breach if the data is not fully recovered and knowledge of it has not spread outside Licensor and Client. Thus, it may not be practical in all instances for Licensor have a cure period.
Model language: Termination for Cause. Upon Client’s knowledge of a material breach by Licensor, Client shall provide Licensor written notice of the existence of the alleged material breach and provide Licensor 30 days from the delivery of such notice within which to cure the breach or end the violation. Client may terminate this Agreement [and the ______Agreement/ sections ____ of the ______Agreement] if Licensor does not cure the breach or end the violation within such 30- day time period by Client. If neither termination nor cure are feasible as reasonably determined by Licensor and Client, Client shall report the violation to the Secretary. Client’s report to the Secretary shall be limited to the specific information giving rise to the breach. See http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/con- tractprov.html. See also 45 C.F.R. § 314(a)(1)(i)(B). From the OCR Privacy Guidance: “Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).” Chapter 23, Form 23.L.2: Business Associate Agreement/HIPAA Checklist 181
45 C.F.R. §§ 164.502(e), 164.504(e), 164.532(d) and (e).
8. Mitigation Is Licensor obligated to mitigate any breach? What is the extent of Licensor’s obligation to mitigate Licensor’s breach of the BAA? Licensor should not assume a broad obligation to mitigate any breach to Client’s satisfaction. Licensor should do only what is reasonable and leave it to Client to pursue damages if Client believes more is warranted.
NOTE: Clients increasingly seek to impose a mitigation obligation on Licensor to mitigate any deleterious effects from improper disclosure of PHI. The scope of the mitigation obligation is often undefined, but could include detailed notices to a very large pool, and call-in hotlines. Mitigation of the harmful effects is a requirement under HIPAA, but the rules do not define what specific actions must be taken or the scope of mitigation. The issue is one of conceding contractual language that could obligate Licensor to incur expenses in excess of what would otherwise be required to comply with law, based on the demands of Client. The language below obligates Licensor to use “reasonable efforts” to limit “additional losses” but expressly disclaims any obligations that would result in Licensor incurring a material financial expense. The new HIPAA HITECH rules will statutorily require Licensor as a Business Associate to mitigate any damages. Licensor will also need to implement new obligations concerning patient notification.
Model language: Licensor agrees to mitigate, to the extent practicable, any harmful effect that is actually known to Licensor of a Security Incident, caused by Licensor or its subcontractor(s) arising from its provision of the Services. Licensor’s obligation to mitigate shall consist of reasonable efforts to limit additional losses after a Security Incident has occurred. Licensor shall not be required to undertake any actions which would be unduly burdensome in terms of time or resources or cause Licensor to incur a material financial expense. [For purposes of this BAA, a material financial expense shall mean an expense which will cost in total an amount which is equal to or exceeds five percent (5%) of the fees under the Agreement associated with the provision of Covered Services in the immediately preceding three (3) months.]
9. Third Party Beneficiaries The Agreement/policies should specifically exclude any third party beneficiaries to limit any potential claims against Licensor by individuals whose PHI is breached. HIPAA, for example, presently does not provide a private cause of action to the owner of PHI against a Business Associate who violates the terms of HIPAA or a BAA. 182 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
Model language: Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than the parties who sign this Agreement any rights, remedies, obligations or liabilities whatsoever. There are no intended third party beneficiaries. [OPTIONAL – Licensor might want to state that there are no third party beneficiaries other than as specified in the indemnification provisions.]
10. Notices Due to the inability to confirm actual receipt by the intended recipient, Licensor should not agree to the provision of formal notices via E-Mail or facsimile. The preferred means of delivery is certified mail, return receipt requested or overnight courier. Notices should be sent to the General Counsel in LOCATION or to counsel for the group/entity entering into the Agreement, with a copy to a business team member. All notices should be effective upon receipt.
11. Unilateral Amendment of Underlying Agreement by Client Is Client allowed to unilaterally amend the Agreement for changes in the law or in the event Client believes a change is necessary to clarify an ambiguity or ensure compliance with an Applicable Law? How is Licensor protected from increased costs or other obligations? Will any negative impact be addressed through the change order process?
NOTE: Licensor cannot agree to the automatic amendment of the BAA or other agreement to comply with law. Licensor must have a consent and approval right. Licensor should only allow unilateral change if Licensor is financially compensated for any negative/cost impact and the other terms, such as timing of implementation are satisfactory to Licensor. In the alternative, Licensor should be allowed to reject any unilaterally proposed amendment, where upon Client may terminate the Agreement.
12. Records Retention How long is Licensor required to retain the PHI or other records?
NOTE: Medicare has a ten (10) year requirement to retain records. If Licensor is an ASP for Client, the Agreement must clearly spell out what happens to the records and who is going to pay for it.
III. Audits, Etc. Chapter 23, Form 23.L.2: Business Associate Agreement/HIPAA Checklist 183
1. Compliance Audits What type of compliance audits are required by Client? Is Licensor already performing this type of audit for the data center in question?
NOTE: If not, the requirements for any such audit will have to be separately coordinated in advance with Licensor’s Corporate Internal Audit Department, and Client should be made to pay for the audit. Additionally, the results of that audit should be restricted to an executive summary specific to Client, is possible.
Who is entitled to review the results?
NOTE: Any disclosure of the audit results should be limited and treated as Confidential Information. Client should not be permitted to disclose the results to any third party outside of its auditors and possibly its “advisors.” Licensor should specifically require any third party execute a Non- Disclosure Agreement with Licensor prior to receiving a copy of the results and exclude Licensor competitors from receiving a copy.
Does a security breach trigger a right to audit with respect to HIPAA compliance? If the breach occurred because of an employee act, is Client entitled to access the employee’s laptop or records to investigate such breach without Licensor’s consent?
2. Books and Records Are the audit provisions overly broad?
NOTE: Attorney-client privileged materials and materials not related to Client should be excluded.
Do they extend beyond books and records to include facility audits, and audits of practices and procedures?
NOTE: Except for very rare situations, Licensor should never agree to facility audits.
Is the audit triggered by a Licensor breach or at the demand of Client? How is “breach” defined? How often may Client demand an audit and who should pay for each? Is the audit subject to appropriate controls? 184 A Practical Guide to Software Licensing for Licensees and Licensors, 6th edition
NOTE: Client should be required to provide at least seven (7) days prior written notice of its desire to audit Licensor’s books and records to allow Licensor the time necessary to collect and make available for review the relevant records. Client’s audit rights should be clearly stated and limited. Further, the audit should occur at the Licensor office where the books and records are stored during normal business hours, and be subject to all applicable confidentiality and Licensor security controls. The length of the audit should be limited to a set period of time to limit disruption to Licensor’s business operations. Licensor should be concerned as to the possibility that an audit of a facility or systems could expose other client PHI and/or deficiencies in Licensor’s compliance.
Model language: Licensor agrees to make those internal practices, books, and records specifically relating to the use and disclosure of Confidential Information received from, or created or received by Licensor on behalf of Client available to Client, or at the request of Client to [third party auditor], in a reasonable time and manner agreed to by Client and Licensor, for the purpose of [Insert limited purpose]. Such books and records shall exclude any legally privileged information, as well as non- relevant personal data or Confidential Information of other Licensor clients.
IV.Miscellaneous 1. Project Budget Does the pricing model include the cost of specific security requirements required by Client and offered by Licensor as separately chargeable services? Does the project budget contain a set-aside for the potential cost of complying with ongoing data related requirements, including potential incident response?
2. Training Requirements Does the Agreement require any training requirements during the term of the Agreement? Has the project manager established ongoing training during the term of the Agreement to meet the contractual requirements and who will maintain records regarding such training?
3. Internal Licensor Resources If you require additional information, the following Licensor resources may be helpful: