Often, my office gets calls and emails asking what Appendix A is to such an agreement and what should it say. We get these questions regarding both our sample business associate agreement (available both on the Premium Member section of the Veterans Press website, www.veteranspress.com and on the HIPAA Documents Resource Center CD, 6th edition) and other business associate agreements obtained elsewhere.
The reason that I have not drafted a sample Appendix A is quite simply that, unlike the business associate agreement itself, which is largely boilerplate—that is, required language for HIPAA compliance—Appendix A will differ for every type of covered entity and for what services the covered entity or upstream business associate is engaging the business associate to perform. See my blog post of September 18, 2014, “Business Associates? How Low Can You Go? HIPAA & HITECH Act Blog by Jonathan P. Tomes,” concerning subcontractors as business associates. For example, the services that a covered entity might engage a transcription service to perform would be different from those of a billing service. In my HIPAA compliance books, I identify more than 80 possible business associate relationships, and others are certainly possible. Almost all of them, when they qualify as business associates, will be providing a different service or different services that the covered entities or upstream business associates are hiring them to do.
Note that you can, of course, put what services you are hiring the business associate to perform into the business associate agreement itself, but that scenario raises an issue to consider. If you, say, later changed the business associate’s duties, you would have to redo the entire contract rather than merely substitute a new Appendix A.
Further, whether you list the duties in the business associate agreement itself or list them in Appendix A, remember that you do not want to exercise too much control over how that business associate performs its duties, or your may be liable under the federal common law of agency. See my February 18, 2013, blog post, “You’d Better Not Control Your Business Associate’s Performance! HIPAA & HITECH Act Blog by Jonathan P. Tomes,” on liability for business associate breaches. For example, whether in your business associate agreement itself or in Appendix A, do not specify what shredder the shredding service is to use or require its approval by your security officer because that specificity is too much control. You could say something general, such as shredding will comply with HIPAA requirements.
The moral of this story once again is that, under HIPAA, one size does not fit all. As with all of our sample policies, agreements, notices, and so forth, use the sample as a template and adapt it to your situation, your state laws, your area of practice, your type of business, your business associates if you are a covered entity or an upstream business associate or your covered entities or upstream business associates if you are a business associate or downstream business associate, and so forth.
