Health care providers often have contracts with billing or electronic health records companies who have access to, store or process the health care providers’ sensitive data. If there is a breach of that data, the resulting damages from a legal standpoint will likely be considered “indirect” damages, and not “direct” damages.
So-called direct damages are usually limited to the value of the primary service being provided under the contract between the health care provider and the particular vendor, while damages resulting from the consequences of poor performance, such as a data breach, would usually be classified as indirect damages.
Unfortunately, many agreements between health care providers and such vendors specifically exclude the vendor from being liable for any damages other than direct damages. Therefore, a health care provider subject to such a contract may have no recourse against the vendor when the vendor suffers a data breach.
Accordingly, health care providers should attempt to exclude data breach damages from waivers of indirect damages.
Another strategy is expressly to include the protection and storage of sensitive user data in the description of the primary services being offered by the vendor. This may increase the likelihood that a court will view the protection of sensitive user data as part of the primary services being provided; therefore, damages resulting from the failure to provide such services would be recoverable as direct damages.
A third strategy is to include an indemnification provision in the Health Insurance Portability and Accountability (HIPAA) business associate agreement entered into between the parties.
Ned T. Himmelrich
410-576-4171 • firstname.lastname@example.org