Skip to content

Business Associate Subcontractor Avoids Indemnification Liability Following HIPAA Breach



CVS Pharmacy, Inc. v. Press America, Inc., 2019 WL 1380431 (S.D. N.Y. 2019)

A federal trial court has ruled in favor of a mailing service that faced indemnification liability after it mislabeled envelopes containing health plan participants’ protected health information (PHI), resulting in 41 letters being mailed to incorrect recipients. The mailing service was a subcontractor of the health plan’s pharmacy benefits manager (PBM), subjecting both the mailing service and the PBM to HIPAA’s privacy and security rules. The mailing mistake implicated a so-called performance guarantee provision in the PBM’s contract with the health plan, resulting in a “penalty” of $1.845 million, which the PBM paid to the plan. The PBM then demanded that the mailing service reimburse the penalty under their contract’s indemnification provisions and also refused to pay over $500,000 of open invoices. After the mailing service refused to pay, the PBM sued. The court denied the mailing service’s motion to dismiss the PBM’s claims, holding that the indemnification provisions were broad enough to cover the PBM’s payment to the health plan (see our Checkpoint article).

In this latest decision, the court ruled that the performance guarantee in the contract between the plan and the PBM was an unenforceable penalty under applicable state law because no evidence suggested that the payment amount correlated to the plan’s actual damages. Moreover, the plan and PBM had characterized the amounts due for breach of the performance guarantee as penalties. Therefore, although the indemnification provision in the contract between the mailing service and the PBM was broad enough to encompass the PBM’s payment to the health plan (regardless of whether the mailing service knew about the performance guarantee when it agreed to the indemnification provision), the mailing service avoided liability because the underlying performance guarantee was unenforceable. Essentially, the court ruled, the PBM took the risk that it would not receive indemnification when it paid the health plan without providing notice to the mailing service or obtaining its consent to the payment. The court also held that the PBM had to pay the mailing service’s open invoices because the mailing service had performed its contractual obligations, and the payments were not subject to offset in light of the indemnification provision’s inapplicability. Still, because the mailing service conceded that it had breached the contract by misdirecting the 41 letters, the court concluded that a trial would be necessary to determine the mailing service’s liability for actual damages related to the breach.

EBIA Comment: Indemnification provisions reflect contracting parties’ understandable desire for protection from the adverse consequences of another party’s mistake, but this superficially simple purpose conceals significant complexity when it comes to applying the provisions. In this case, the actual damages may be far less than the amount that would have been payable as indemnification. Indemnification provisions should be approached with caution and with a clear understanding of their potentially far-reaching implications. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIV.D (“Agents and Subcontractors of a Business Associate”) and XXIV.E (“The Business Associate Contract: Beyond HIPAA’s Requirements”). See also EBIA’s Self-Insured Health Plans manual at Section XXIII.B (“Contracting With Service Providers”). You may also be interested in our workshop “Negotiating a HIPAA Business Associate Contract from the Plan Sponsor and Service Provider Perspectives(recorded on 10/24/2018).




Contributing Editors: EBIA Staff.

More answers