Do HIPAA Resellers Need Business Associate Agreements with their Clients?
The short answer is “Yes“.
The HIPAA Omnibus (and HITECH) rules states that a chain of Business Associate Agreements is required from the Covered Entity though each business partner in the chain of companies that have potential access to the ePHI of that covered entity.
In the case of LuxSci HIPAA resellers, the chain of companies is:
- LuxSci Reseller
- Resellers’ Customers (be they Covered Entities or Business Associates)
So, LuxSci would have a business associate agreement with the Reseller and the Reseller would have separate business associate agreements with each of his/her customers. This is because the LuxSci HIPAA reseller is acting as a VAR (value added reseller) of LuxSci, administering his customers accounts. As such, the HIPAA Reseller provides basic support to his customers, can do password resets, can technically access their ePHI via password reset and support processes, etc.
HIPAA Resellers that do not want to establish contracts with customers and/or who want to eliminate liability are advised to be “Affiliates” instead. Affiliates refer customers to LuxSci and get a commission for that referral; however, those referrals become direct customers of LuxSci with the Affiliate essentially “out of the loop”. Hence, Affiliates are not Business Associates of these referred customers and have no HIPAA liability or obligations in this respect.
What should Reseller Business Associate Agreements look like?
LuxSci always recommends that Resellers engage a lawyer to help them create the most appropriate Business Associate Agreement to use with their customers. Why?
- Resellers differ in how they use our services and who their customers are.
- Resellers often provide additional value added services and support to their customers that may need to be reflected in the business associate agreements.
- Resellers may have specific requirements from their customers in terms of the content of these agreements.
In any case, we recommend that Resellers:
- Use the LuxSci standard Business Associate Agreement as a basis for theirs. Since the Reseller is signing this, having the Reseller’s customers sign something close to LuxSci’s BAA provides consistency.
- Review the Sample Business Associate Agreement provided by Health and Human Services.
When considering if you should add special terms regarding indemnification to your business associate agreements, you may want to consider: To indemnify or not to indemnify – 10 Considerations.
HIPAA Reseller Frequently Asked Questions
If I become a reseller, what types of risks I do expose myself to?
As a Reseller and administrator of your customer accounts, you become responsible for their proper use of services. If there is a HIPAA breach due to your actions or your lack of training your customers, then you have direct liability. As such, being very familiar with LuxSci’s services, what you should and should not do with email and web sites, etc., will be very important for you so that you can properly direct and support your customers and limit your liability be implementing best practices and educating your customers.
What tips can LuxSci share to its resellers wishing to minimize HIPAA liability?
- Have your customers sign a Business Associate Agreement with you.
- Have your Business Associate Agreement reviewed by your lawyer
- Do not indemnify your customers
- Be vary familiar with LuxSci’s Account Restrictions Agreement and ensure that your have a similar agreement with your customers and/or that you educate them with these best practices.
- If your customers are web hosting though you, be very sure that their web sites are designed to properly handle ePHI. E.g. see “7 steps to make your web site HIPAA Secure” and “HIPAA-compliant web sites: Requirements and Best Practices.”
- Be sure to train your customers in proper use of secure email. E.g.
- What is and what is not ePHI?
- When you can use “Opt Out” to send insecure email messages.
- How secure email works
Does the fact that I sign a reseller BAA with LuxSci mean that I must now ask other Web-related vendors serving my clients to do the same?
HIPAA requires that you have a Business Associate Agreement with every vendor use though which ePHI my pass or be stored. So, you should evaluate every vendor that you use and see which ones fit this criteria and get an agreement from them … or change vendors.