Banking Law, Contracts, Health Care / Medicine, In-House Counsel, Practice Pointers, Privacy

House Rules: HIPAA and GLBA and Indemnity, Oh My!

Caveat: I did not write the following dialogue. It is from the “comments” section of one of my columns where I mentioned I’d be writing about HIPAA and GLBA. Unfortunately, I cannot attribute the comments to the persons who wrote them, as they are anonymous; however they are quite apropos of today’s subject:

1) “I wish vendors would get it into their heads that indemnity for being sued on a confidentiality basis doesn’t cut it for financial institutions and other customers/clients that have affirmative obligations without being sued in the event of a breach of confidentiality.”

2) “I wish financial institution customers would get it into their heads that the ‘customer information’ they’re obligated to protect is not the sort of thing they would ever disclose to the vast majority of their vendors, and stop using their ‘affirmative obligations’ as a tool to cram unnecessarily restrictive confidentiality terms down the throats of vendors.”

Perfect. Those two comments capture the schism between vendors and customers when dealing with private financial or personal confidential information….

The main statutes dealing with such information and the rights and responsibilities thereto are the Health Insurance Portability and Accountability Act, and GLBA refers to the Gramm-Leach-Bliley Act. The former deals with health consumers’ private information, and the latter deals with financial consumer’s personal information. Rather than bore you with the details of each act, let’s agree that each refers to the protection of such material, and the duties of institutions that hold such information to keep it private.

There’s no dispute that such information is to be kept private, and a leak can be financially detrimental, as well as costly on the public relations front. As an attorney for a vendor, I am often asked to review and advise on addenda to existing contracts that seek to add responsibilities to our performance, in order to ensure compliance with one of these Acts. These are becoming almost boilerplate in content, and even though I review them all, there are two sections I immediately redline out: 1) Indemnity and 2) Termination.

The parties have already agreed to these terms in our master agreement; why would I allow for additional responsibilities, and the potential for breach, by agreeing to them in an addendum? If there is pushback on Indemnity, I can sometimes agree to language stating we’ll provide for a year of credit monitoring, and some assistance with notice to affected parties in the unlikely eventuality of a breach.

But what I refuse to do is allow the customer to dictate the terms of the extent of their “damage.” What if “reasonable damages” means that you believe I should place notices global in scope when only a small bit of information was leaked? As the second comment above states, there is no reason that our employees should be seeing such confidential information, and the hypothetical, “well, what if it’s lying on someone’s desk” doesn’t cut it. Here’s a tip: don’t leave sensitive stuff lying around for all to see. And especially don’t expect your vendors to pick up the slack for your lax security measures.

Further, and more to the point, there is no requirement in either of these statutes that require indemnity on the part of a vendor. There are duties placed upon the institutions, but that’s the risk taken on by them. Any attempt at forcing a vendor to agree to extra-indemnify an institution post-execution is simply that, an unnecessary attempt to pass risk.

As for extra termination language, Customers always seem to try to add language stating that “in the event of a release of ‘such information’, Customer may immediately terminate this agreement.” What?! No — we agreed to terms in a master document that was negotiated over a long period of time that has been vetted by business, accounting, and legal, and now you want to do away with the entire agreement simply because of a release of information? That possibility should have been taken into account during agreement negotiations, not when your legal department realizes that they need extra protection. This is also outside the bounds of the statutes. Any customer telling you that “due to GLBA (or HIPAA) we have to require extra-indemnity, or immediate termination,” is being disingenuous.

Of course, institutional customers falling under either of these two statutes have many rules and regulations by which to abide. But that doesn’t meant they automatically have to pass the risk entirely to the vendor, and in few instances is such risk-passing warranted by the statutes. I suggest that by working together toward a reasonable agreement for the protection of this type of information, both parties can protect their interests, without much more risk than before the institution of HIPAA or GLBA.

Next time,

LoL and Indemnity Redux….

After two federal clerkships and several years as a litigator in law firms, David Mowry is happily ensconced as an in-house lawyer at a major technology company. He specializes in commercial leasing transactions, only sometimes misses litigation, and never regrets leaving firm life. You can reach him by email at

(hidden for your protection)

comments sponsored by

Show all comments