Understanding an indemnification provision in a contract can lead to fewer headaches (and litigation) down the road.
Let’s start with the basics. An indemnitor is the party who is obliged to pay another party. An indemnitee is the party who is entitled to receive the payments.
According to Black’s Law Dictionary, indemnity is defined as “a duty to make good any loss, damage, or liability incurred by another.” This general definition omits some very key points. First, each word in an indemnification provision is broken down and evaluated by a court. Second, some items, such as criminal conduct or fraud, cannot be indemnified. Lastly, state law plays a key role in the drafting and interpretation of indemnification provisions. For physicians and healthcare industry participants alike, care should be taken to evaluate this provision, especially in light of the fact that a Business Associate Agreement (“BAA”) is a contract which is required under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Often a BAA is signed separately from a Master Service Agreement (MSA) or other contract for goods and/or services. Importantly, the provisions of all contracts should align, including the choice of law, venue and indemnification provisions.
Key words and phrases that courts consider when evaluating indemnification provisions are: indemnify; hold harmless; or hold harmless, protect and indemnify. As a general rule, indemnification clauses do not cover attorney fees unless it is expressly stated. For example, California has statutes regarding indemnification. Courts are often called upon to interpret statutes. In Rooz v. Kimmel, 55 Cal. App. 4th 573 (1997), the court emphasized the distinction of utilizing “indemnify” versus “hold harmless”. The parties executed a contract with the language “hold harmless, protect and indemnify.” At issue in the case was “whether or not a hold harmless agreement absolved North American Title Company (“North American”) of liability for negligence when North American failed to record a deed of trust in a timely fashion.” The California Court of Appeals indicated that North American was not seeking indemnification, rather it was relying on the “hold harmless” provision, which was viewed more as a “release of liability”. Because of the language that the parties used and agreed to, the appellate court held that the agreement released North American from liability for its own negligence – whether active or passive.
How does the aforementioned case apply to healthcare and cybersecurity? First, words matter. Second, in healthcare and in the provision of IT/cybersecurity services, there are often multiple contracts, including a BAA. HIPAA does not require that an indemnification provision be included in a BAA; however, a lot of parties include one. Two key considerations related to the inclusion of an indemnification provision are knowledge of the party you are dealing with and obtaining reasonable assurance from the other party that it has the requisite technical, administrative and physical safeguards in place for compliance with HIPAA and other related laws. This could lead one party to insist upon a unilateral indemnification or both parties to agree upon a mutual indemnification. Basically, it comes down to the proper allocation of risk.
Indemnification clauses are nuanced and can be a trap for the ignorant. I’m still shocked when I see parties trying to indemnify against fraud and criminal actions, which is against public policy. The best place to start is by consulting competent legal counsel, understanding the risks, and doing adequate due diligence on another party. Failing to do so can lead to unanticipated liability and significant costs.