Patricia M. Wagner, Chief Privacy Officer and Member of the Firm in the Health Care and Life Sciences and Litigation practices, in the firm’s Washington, DC, office, was quoted in Wolters Kluwer Health Law Daily, in the Strategic Perspectives column titled “Business Associates No Longer Second to Covered Entities as OCR Increases Focus,” by Sarah Baumann.
Following is an excerpt:
Issues often arise relating to the parties’ responsibility in the event of a PHI breach, according to Patricia M. Wagner, Member, Esptein Becker Green, as well as “whether or not the BA will have the right to de-identify the PHI, and the assertion of control of downstream vendors by the CEs.” A BAA is separate from the underlying agreement that the CE (or contracting BA) and BA might enter into. Wagner said provisions not required by the HIPAA rules may be more appropriately placed in the underlying agreement, rather than the BAA. Boilerplate provisions, such as choice of law, should either be consistent with, or separate from, the outside agreement. She cautioned CEs about being so “prescriptive” as to form an agency relationship, rather than allowing the BAs to remain independent contractors.