HIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES

Transcription

1 HIPAA S BUSINESS ASSOCIATE REQUIREMENTS FOR PATHOLOGISTS AND LABORATORIES What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) establishes new privacy requirements for the protection of patients health information. The rules apply to Covered Entities a term that includes pathologists and laboratories if they transmit health information electronically (e.g., for billing). Although not all information will need to be protected, most patient information will be considered Protected Health Information, or PHI. PHI includes all individually identifiable health information, including electronic and paper records and also oral communications. Unless a pathologist or laboratory handles all health information on paper with no electronic transactions, pathologists and laboratories will be subject to HIPAA s requirements. Generally speaking, HIPAA requires pathologists and laboratories to: (1) monitor the uses and disclosures of PHI; (2) give certain rights to patients with respect to their PHI; and (3) establish certain administrative policies and procedures to ensure that privacy is prioritized. In addition to these requirements, pathologists and laboratories are likely to be affected by HIPAA through its Business Associate requirements. What are the HIPAA Business Associate Requirements? The HIPAA privacy rules require Covered Entities to enter into written agreements with their Business Associates. These Business Associate agreements ensure that a Business Associate will provide the same privacy protections to the Covered Entity s information as the Covered Entity would. Who is a Business Associate? Generally speaking, a Business Associate is a person or entity that has access to PHI as a result of providing services to a Covered Entity. Specifically, the rules define a Business Associate as a person who: (i) on behalf of such Covered Entity or of an organized health care arrangement... in which the Covered Entity participates, but other than in the capacity of a member of the workforce of such Covered Entity or arrangement, performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing; or

2 (B) Any other function or activity regulated by this subchapter; or (ii) Provides, other than in the capacity of a member of the workforce of such Covered Entity, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such Covered Entity, or to or for an organized health arrangement in which the Covered Entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such Covered Entity or arrangement, or from another Business Associate of such Covered Entity or arrangement, to the person. 1 For example, a pathologist s or laboratory s billing service will clearly be a Business Associate of the pathologist or laboratory. Similarly, an attorney, accountant or consultant that provides services to a pathologist or laboratory may be a Business Associate of the pathologist or laboratory if such individuals have access to patient information in the course of providing their services. In addition, in certain circumstances a pathologist or laboratory may be the Business Associate of another Covered Entity. For example, when a pathologist provides medical direction services for a hospital s laboratory, the pathologist is providing services to the hospital and will have access to information about the hospital s patients. In these circumstances, the pathologist likely will be a Business Associate to the hospital. Therefore, each pathologist and laboratory must determine which of the people or entities providing services to the pathologist or laboratory will need to sign a Business Associate contract. In addition, the pathologist or laboratory must identify which hospitals, laboratories, or other Covered Entities to which the pathologist or laboratory provides services will ask the pathologist or laboratory to sign such a contract. When is a pathologist or laboratory a Business Associate of another Covered Entity? Generally speaking, a pathologist or laboratory will be a Business Associate of a hospital or another Covered Entity when the pathologist or laboratory (1) is providing services to the Covered Entity and (2) the pathologist will have access to patient s PHI because of its role in providing such services. For purposes of illustration, this memorandum discusses the example of a pathologist serving as a medical director of a hospital laboratory, although there are likely to be other circumstances in which a pathologist or laboratory would be a Business Associate. Is a pathologist a Business Associate of a hospital when he or she is an employee of the hospital? An employee of a Covered Entity is not a Business Associate of the Covered Entity. Therefore, a pathologist that is employed by a hospital will not be a 1 45 C.F.R

3 Business Associate of the hospital, even if the pathologist is serving as the medical director for the hospital s laboratory. Is a pathologist who provides only patient (Part B) services at a hospital (and incidental administrative services associated with participation on a hospital s medical staff) a Business Associate of the hospital? A pathologist that provides only patient (Part B) services at a hospital, but does not provide administrative services on behalf of the hospital, will not be a Business Associate of the hospital. A Business Associate relationship only exists if one party is providing services on behalf of the other party. When a pathologist participates on a hospital s medical staff, the pathologist and hospital are not providing services on behalf of each other, even though they are providing services on behalf of the same patients. As the HIPAA rules emphasize, medical staff privileges, by themselves, do not create a Business Associate relationship between a hospital and the pathologists and other physicians on staff. Moreover, a pathologist may perform the typical administrative services that are associated with participation on a hospital s medical staff without creating a Business Associate relationship with the hospital. For example, a pathologist may contribute to a morbidity and mortality review or may communicate with the hospital to obtain patient-specific demographic information for use in billing and collection. When the pathologist participates in these types of activities that are not directly related to treatment, the pathologist and hospital are considered to be participating in an organized health care arrangement. The HIPAA rules define the term organized health care arrangement to mean: (1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider; [or] (2) An organized system of health care in which more than one Covered Entity participates, and in which the participating Covered Entities: (i) Hold themselves out to the public as participating in a joint arrangement and (ii) Participate in joint activities that include at least one of the following: (A) Utilization review ; (B) Quality assessment and improvement activities ; or (C) Payment activities. 2 HIPAA created the organized health care arrangement category in order to permit physicians and hospitals to participate in joint activities, such as committees, without creating a burdensome Business Associate relationship. Thus, participation by a pathologist in typical medical staff activities, even those that involve the sharing of 2 45 C.F.R

4 PHI, do not make the pathologist a Business Associate of the hospital. In fact, the commentary to the HIPAA rules specifically states: Participants in such clinically integrated settings need to be able to share health information freely not only for treatment purposes, but also to improve their joint operations. For example, any physician with staff privileges at a hospital must be able to participate in the hospital s morbidity and mortality reviews, even when the particular physician s patients are not being discussed. These activities benefit the common enterprise, even when the benefits to a particular participant are not evident. Thus, special rules are needed to ensure that this rule does not interfere with legitimate information sharing among the participants in these arrangements. 3 Importantly, however, participants in an organized health care arrangement can, in some circumstances, still be Business Associates of each other. If either the hospital or the pathologist provides services for or on behalf of the other party, a Business Associate relationship is created. For example, if a hospital provides billing services for the pathologist, then the hospital would become a Business Associate of the pathologist, even though the parties still exist as participants in an organized health care arrangement. Similarly, if the pathologist provides administrative services on behalf of the hospital, such as serving as a medical director, the pathologist becomes a Business Associate of the hospital. 4 Thus, it is important to be able to distinguish when a pathologist is a business associate of a hospital and when a pathologist is not. The distinction turns on whether the pathologist is performing services for the hospital, as when a pathologist directs the hospital s laboratory, or whether the pathologist is merely involved in a joint activity with the hospital that other members of the hospital s staff would be asked to do as well, as when a pathologist contributes to a hospital committee with other physicians on the hospital s medical staff. It may be helpful to think about whether the pathologist is more like a billing service, being brought in and paid to manage a particular task, or 3 65 Fed. Reg , 82494; see also 45 C.F.R ( A covered entity participating in an organized health care arrangement that performs a function or activity [that would make it a Business Associate] for or on behalf of such organized health care arrangement does not, simply through the performance of such function or activity or the provision of such service, become a business associate of other covered entities participating in such organized health care arrangement. ). 4 The commentary to the HIPAA rules states: [W]here a physician or other provider has staff privileges at an institution, neither party to the relationship is a business associate based solely on the staff privileges because neither party is providing functions or activities on behalf of the other. However, if a party provides services to or for the other, such as where a hospital provides billing services for physicians for physicians with staff privileges, a business associate relationship may arise with respect to those services. 65 Fed. Reg , Note that the creation of a Business Associate relationship with respect to certain services does not create a Business Associate relationship with respect to all services between the two parties. -4-

5 whether the pathologist is just participating in activities that are incidental to providing care as a member of the hospital s medical staff. If a pathologist provides both patient services and also medical direction services, does the Business Associate relationship with the hospital apply to all the services provided by the pathologist, or only the medical direction services? A Business Associate relationship applies only to the services that give rise to the relationship. Thus, if a pathologist is both on a hospital s medical staff and also the medical director of the hospital s laboratory, the pathologist is a Business Associate of the hospital with respect to the medical director services but is not a Business Associate of the hospital with respect to the pathologist s participation on the hospital s medical staff. What must be included in the Business Associate contract? Once a pathologist or laboratory has determined that it will be a party to a Business Associate contract (either as the Covered Entity or as the Business Associate), the pathologist or laboratory will need to ensure that the contract includes the appropriate language. A Business Associate agreement is likely to include three major components: (1) an explanation of permitted uses and disclosures that the Business Associate may make; (2) an explanation of the Business Associate s responsibilities; and (3) other supporting provisions. Permitted Uses and Disclosures A Business Associate contract must establish the permitted and required uses and disclosures that the Business Associate may make with the Covered Entity s PHI. These purposes should reflect the reason for the underlying relationship between the Covered Entity and the Business Associate. For example, when a pathologist enters into a Business Associate agreement with its billing company, the contract may indicate that the billing company may use and disclose patient PHI for the purpose of providing billing and collection services to the pathologist as set forth in the Billing Services Agreement between the billing company and the pathologist. Similarly, when a pathologist enters into a Business Associate contract with a hospital because of the pathologist s role as a medical director, the contract may indicate that the pathologist may use or disclose patient PHI for purposes associated with the provision of medical direction services to the hospital laboratory as set forth in the Medical Direction Agreement between the pathologist and the hospital. In addition to the permitted uses and disclosures that are associated with the purposes of the Business Associate relationship, a Business Associate also may use PHI: (1) for its own management and administration; and (2) to carry out its legal responsibilities. Moreover, a Business Associate may disclose PHI for these same purposes, but only if the disclosure is required by law or if the Business Associate takes certain extra steps to ensure that the information will be protected once it has been disclosed. Specifically, the Business Associate must obtain reasonable assurances -5-

6 from the person to whom the information is disclosed that the information will be held confidentially and used or further disclosed only as required by law or for the purpose for which it was disclosed by the Business Associate. In addition, the recipient must agree to notify the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. In setting forth the permitted uses and disclosures that the Business Associate may make, the contract may not authorize the Business Associate to use or disclose PHI in a manner than would be prohibited for the Covered Entity. For example, the contract may not permit the Business Associate to disclose PHI without the patient s permission if the HIPAA rules would require the Covered Entity to obtain permission. Other than these purposes set forth in the agreement or as permitted or required by law, the contract must prohibit the Business Associate from any further use or disclosure of the PHI. Responsibilities of the Business Associate The Business Associate Agreement will also set forth the actions for which the Business Associate will be responsible. Safeguards. The Business Associate must use appropriate safeguards to prevent use or disclosure other than as provided in the contract. Reporting to the Covered Entity. The Business Associate must report to the Covered Entity any use or disclosure not provided for by the contract of which the Business Associate becomes aware. Obligations On Sub-Contractors. The Business Associate must ensure that any subcontractor or agent to which it provides PHI agrees to the same restrictions and conditions that apply to the Business Associate. Patient Access to PHI. The Business Associate must make PHI available to a patient upon individual request as appropriate. Pathologists should note that HIPAA s right of access does not apply to information that is maintained by a laboratory that is either (1) exempt from CLIA or (2) subject to CLIA where CLIA would prohibit the pathologist from providing access to the patient. Patient Requests for Amendments. The Business Associate must make PHI available for amendment and incorporate changes or amendments to PHI when notified to do so by the Covered Entity. Accounting for Disclosures. The Business Associate must provide the Covered Entity with the information it needs to make an accounting of disclosures to an individual. -6-

7 Access for DHHS. The Business Associate must make its practices, books, and records relating to the use and disclosure of PHI available to the Department of Health and Human Services if it requests to do so for purposes of determining the Covered Entity s compliance with the privacy rules. Return or Destruction of PHI. Upon termination of the contract, the Business Associate must, if feasible, return or destroy all PHI it received or created on behalf of the Covered Entity. If such return or destruction is not feasible, the Business Associate must extend the protections in the contract to the information and limit further uses and disclosures to whatever purposes are creating the reason why the Business Associate cannot return or destroy the information. Other Supporting Provisions The Business Associate Agreement will also contain additional supporting provisions. The only required supporting provision is one that identifies when a Covered Entity may terminate the Business Associate agreement. Specifically, the contract must authorize the Covered Entity to terminate the contract if the Covered Entity determines that the Business Associate has violated a material term of the contract. In addition, however, many Business Associate agreements will also contain additional provisions such as indemnification provisions. What are a Covered Entity s responsibilities with respect to monitoring its Business Associates? When a pathologist or laboratory is entering into a Business Associate agreement as the Covered Entity, it has some responsibility to ensure that the Covered Entity complies with the contract s requirements. If the pathologist or laboratory has actual knowledge of non-compliance by the Business Associate, the pathologist or laboratory must take appropriate, reasonable steps to resolve such non-compliance. If such steps are unsuccessful, the pathologist or laboratory should terminate the contract or, if termination is unfeasible, report the non-compliance to the Department of Health and Human Services. As a practical matter, this requirement of actual knowledge imposes a relatively low standard for monitoring. When do the HIPAA Business Associate requirements take effect? The HIPAA Business Associate requirements (and other privacy requirements) take effect April 14, Although compliance is not required yet, pathologists may already find that they are being asked to include Business Associate language in their contracts with hospitals. Because we expect many hospitals will rely on the model Business Associate Agreement that has been distributed by the American Hospital Association, we have attached an analysis of the model contract behind this memorandum. -7-

8 Conclusion We recommend that pathologists begin considering which of their existing arrangements may implicate the Business Associate requirements. They should consider situations in which they perform services and are the Business Associates of others, as well as situations in which others will be considered a Business Associate of to them. Although in the latter situation the onus is on the pathologist or laboratory to ensure that an appropriate business associate agreement is in place, the former may also create an immediate obligation as hospitals begin applying pressure for their Business Associates to include Business Associate language in their contracts. This memorandum generally describes how the HIPAA Business Associate requirements will affect pathology practices and laboratories. It is important to note, however, that the analysis in this memorandum is necessarily general. Each pathologist who has a circumstance that raises questions under the HIPAA Business Associate rules should consult with qualified counsel to resolve the matter. James C. Dechene Laura J. Cole Sidley Austin Brown & Wood Bank One Plaza 10 S. Dearborn Street Chicago, Illinois /

9 Analysis of the AHA Model Business Associate Agreement The American Hospital Association ( AHA ) has created a model Business Associate Agreement to assist hospitals in drafting their Business Associate agreements. Pathologists who are entering into Business Associate agreements with hospitals may find that they are asked to sign agreements that are based very closely on the AHA model. Despite the length of the AHA model contract, many of its provisions are of the same nature as those discussed above in this memorandum. Provisions addressing these points will need to be included, in some form, in any Business Associate agreement. Some provisions in the AHA model, however, are more burdensome than would be required under HIPAA or are not required under HIPAA at all. Thus, although the AHA model may be an acceptable place to start negotiations, a pathologist should be aware of certain provisions which should not be accepted without further negotiation between the parties. Introduction. The introduction to the AHA model identifies the context of the Business Associate agreement. It does not contain any substantive requirements for the pathologist. Section1 Permitted Uses and Disclosures of Protected Health Information. Generally, this Section includes provisions which should be included in a Business Associate agreement between a hospital and pathologist. Although the AHA model indicates that most of these sections are permitted rather than required, these sections set forth the different uses and disclosures that the pathologist may make with the hospital s PHI. The more uses and disclosures that are permitted under the contract, the fewer restrictions the pathologist will have when actually handling the PHI. Therefore, the pathologist should negotiate to include as many of these provisions as possible (noting that some of the listed uses and disclosures may not be relevant in all situations). Section 2 Responsibilities of the Parties with Respect to Protected Health Information. Most of the responsibilities set forth in this Section are required under HIPAA to be included in any Business Associate contract. The specific language used in the model agreement, however, may pose some issues worth considering. In subsection 2.1(b), the pathologist is required to report unauthorized use or disclosure to the Covered Entity s Privacy Official. The pathologist should ensure it has knowledge of who the Privacy Official is and how to contact that person. Also, the model contract leaves the timeframe for reporting blank to be filled in by the parties. The best way to define the timeframe would be to require reporting within a reasonable time. If the hospital will not agree to a non-specified time, the pathologist should negotiate for a longer timeframe if possible. For example, 30 days may make compliance easier for the pathologist than 5 days. The HIPAA rules do not require any specific timeframe for reporting. -9-

10 Subsection 2.1(c) requires the pathologist to mitigate any damages that may arise if the pathologist improperly uses or discloses PHI. This provision is not required to be included and its inclusion is not helpful to the pathologist. Depending on the circumstances, this provision may not be too burdensome, however, because the pathologist should have mitigation policies in place anyway because such policies are required for all Covered Entities under HIPAA. Subsection 2.1(g) requires the pathologist to make its records available to the hospital so that the hospital can audit the pathologist s compliance with the Business Associate contract. This provision is not required under the HIPAA rules, and in fact, the hospital has no responsibility to actively monitor the compliance of its Business Associates. However, it may be reasonable for the hospital to have such rights because it is ultimately responsible for any improper use or disclosure that is made by the pathologist. If this provision is included, the pathologist may want to negotiate the expectations regarding such audits. For example, the contract might limit the audits to a certain number per year (e.g., no more than 1 or 2 audits per year). Also, the contract might indicate that such audits would be at the hospital s expense. Further, the pathologist should ensure that the time period after the hospital s prior written request for the audit include a number of days that would be sufficient so that disruption to the pathologist s business would be minimized (e.g., at least 7 business days). Finally, the contract should limit the hospital s right to review the pathologist s billing or other records which would not be relevant to questions about the pathologist s compliance with the Business Associate contract. Subsection 2.1(i) requires the pathologist to return or destroy PHI to the hospital upon termination. Although this provision is required, the pathologist must read this provision together with Section 5.5 of the model contract, which sets forth the exceptions that are provided under HIPAA. Once these exceptions are taken into consideration, this provision is much less burdensome. In this subsection, the pathologist may again need to negotiate to obtain a time period of reasonable length in which to return or destroy the PHI after termination (e.g., 30 days or more). The responsibilities for the hospital which are set forth in Section 2.2 provide important protections for the pathologist. It is important to realize that while most of these provisions are not specifically required to be included in the hospital s Business Associate contracts, the hospital will have these responsibilities under HIPAA whether or not they are included. Subsection 2.2(e) indicates that the hospital agrees to allow the pathologist to make certain uses and disclosures of patients PHI. It is unclear why this provision is included in Section 2.2 rather than in Section 1 (which sets forth the permitted uses and disclosures that the Business Associate may make) of the HIPAA rules permits the hospital to make certain uses and disclosures (most of which are related to public policy reasons) without obtaining any form of permission from the patient. This subsection communicates that the hospital s Business Associate would be permitted to make these same uses and disclosures. -10-

11 It is unclear why this subsection prohibits the pathologist from using or disclosing PHI for research purposes without first obtaining approval from the hospital. In order to meet the requirements under , the pathologist would need to take certain steps prior to using patients PHI for research purposes even if the pathologist did not obtain approval from the hospital. Because HIPAA establishes these safeguards, it is unclear why the hospital would also want to have the opportunity to provide a separate approval of research uses. If a pathologist believes it will want to use PHI for research purposes, it should consider negotiating the removal of this provision from the contract. Section 3 Additional Responsibilities of the Parties with Respect to Protected Health Information. Section 3 sets forth the parties responsibilities with respect to allowing patients to have access to and request amendments of their PHI when it is in the Business Associate s possession. Although the model contract indicates that this section is permitted but not required, in fact the HIPAA rules do require a Business Associate contract to include provisions relating the Business Associate s responsibilities with respect to patients rights to request access and amendments to their PHI. The effects of this provision on pathologists may be somewhat limited. Patients should make requests to the pathologist (as opposed to the hospital) only if the pathologist maintains information about the patient that the hospital does not also maintain. If the hospital makes an amendment to PHI at the request of a patient, the hospital may ask the pathologist to similarly amend the pathologist s records in order to maintain consistency. As stated in our memorandum, pathologists should note an important exception to the access requirement set forth in Section 3.1(a). HIPAA s right of access does not apply to information that is either (1) exempt from CLIA or (2) subject to CLIA where CLIA would prohibit the pathologist from providing access to the patient. This exception would apply whether or not it was specifically included in the Business Associate contract between a hospital and a pathologist. Section 4 Representations and Warranties. Section 4 sets forth mutual representations and warranties that the hospital and the pathologist would make to each other. The provisions of this Section are not required under HIPAA and are not a necessary part of a Business Associate contract. Pathologists should be aware that by signing a contract that includes this language, the pathologist is representing that each of the statements in this Section are true and accurate. If in fact any of these statements are not accurate, the pathologist may be financially responsible to the hospital under the indemnification section. Language containing representations and warranties may or may not be included in the underlying Medical Director Agreement between the pathologist and hospital. If possible, the pathologist should try to exclude such representations and warranties from the Business Associate agreement. If the hospital negotiates for -11-

12 inclusion of representations and warranties, the pathologist should ensure that the representations are mutual, as they are in the model contract. Section 5 Term and Termination. Section 5 sets forth the parties expectations regarding the length of the agreement and the reasons for which it may be terminated. The Business Associate agreement should run for the length of the underlying contract, as is provided in Section 5.1. Section 5.2 establishes the procedures for the hospital to terminate the agreement with the pathologist. This Section of the model agreement is problematic. This Section provides that if the hospital determines that the pathologist has breached a material term of the agreement, the hospital may immediately terminate the Business Associate Agreement (importantly, under HIPAA, this would also require the hospital to terminate the underlying Medical Director Agreement). This termination procedure is problematic for two reasons. First, the hospital should not be able to unilaterally determine that the pathologist has breached the Business Associate agreement. Instead, the hospital should be held at least to a standard of reasonably believing that the pathologist has breached the agreement. Second, the opportunity to cure that is provided as an alternative in Section 5.2 should instead be the only procedure for termination. Without an opportunity to cure, the hospital could use this provision to terminate very easily the pathologist s Medical Director Agreement. Moreover, while the HIPAA rules do not require a cure period, they certainly contemplate that a Covered Entity would offer a cure period prior to termination of a Business Associate contract. In determining the amount of time that would be provided to cure, the pathologist should ensure that the length is sufficient to actually affect a cure (e.g., at least 30 days). The pathologist may also want to change the cure provision so that the pathologist is not required to cure the breach to the hospital s satisfaction if instead the pathologist has taken appropriate steps to begin to cure the breach where a full cure would not be possible in the permitted time period. Section 5.3 sets forth the procedure for the pathologist to terminate the agreement (and thus also the Medical Director Agreement). This provision includes language which would create an unreasonable burden on the pathologist, requiring the pathologist to cooperate with Covered Entity to find a mutually satisfactory resolution to the matter prior to terminating. A pathologist should not agree to this language, unless the hospital is willing to agree to the insertion of the same requirement in Section 5.2. Section 5.3 also states that notwithstanding this provision, [the pathologist] shall not terminate this Agreement so long as the [Medical Director] Agreement is in effect. This language is very problematic. Under the current language, the pathologist could not terminate the Business Associate agreement, even if the hospital failed to comply with any of its obligations under the agreement. The pathologist must be able to terminate the Business Associate agreement in response to a material breach by the hospital. Thus, the pathologist should try to have this language -12-

13 removed (although the pathologist must understand that if the Business Associate is terminated for any reason, the Medical Director Agreement will also be terminated). Section 6 Confidentiality. Section 6 establishes restrictions for both parties relating to protecting the confidentiality of information, other than PHI, that one party obtains from the other party in the course of the provision of the medical director services. This provision is not required under HIPAA and appears misplaced in the Business Associate agreement. Rather, this provision would seem more reasonable if placed in the underlying agreement, the Medical Director Agreement. The purpose of the Business Associate agreement is to protect the privacy of the PHI that the pathologist will access in the course of providing services to the hospital it is not to burden the parties with additional restrictions that should have been included in the underlying agreement. Section 7 Insurance and Indemnification. Under Section 7, the parties agree to carry certain levels of insurance coverage and to indemnify each other against losses. Neither of these provisions are required under HIPAA, but both are likely to be common in Business Associate agreements because HIPAA makes the Covered Entity responsible for the Business Associate s misdeeds. If possible, the pathologist should try to include a cap on the total amount for which the pathologist may be responsible if the pathologist is required to indemnify the hospital under this provision. Also, pathologists should note that their current insurance policies may not cover the costs for indemnification. If a pathologist s insurance policy does not cover these costs, the pathologist should either exclude the indemnification provision from the Business Associate agreement or obtain a rider from the insurance company to extend the policy to cover such costs. Section 8 Miscellaneous. Section 8 includes relatively common boilerplate provisions. While some of these provisions may not be necessary for a simple Business Associate agreement, they are unlikely to be problematic. Section 8.1 provides a place for the hospital to inform the pathologist of any entities that would be a party to the agreement because they are related to the hospital. Clearly, the hospital must communicate this information to the pathologist, either in a form such as is set out in Section 8.1 or in some other form. Ideally, if there are multiple Covered Entities under the contract, they should each be required to sign the agreement. Section 8.9 of the model agreement prohibits both parties from collecting incidental, consequential, special, or punitive damages from the other party under any circumstances. Although this language is not exceptional for legal boilerplate provisions, it is not necessary in a Business Associate agreement. A pathologist certainly should not agree to this language if the hospital does not agree to the mutual prohibition that is included in the model contract. -13-