CVS v. Press America: Business Associate Agreement Indemnities

February 1, 2018 Advisory

Recently, the United States District Court for the Southern District of New York denied a defendant's motion to dismiss a nearly $2 million lawsuit, arising from an indemnity in a HIPAA Business Associate Agreement (BAA).[1] In this case, the plaintiff's contractor caused a HIPAA breach involving the data of the plaintiff's customer. As a result, the plaintiff paid damages to its customer and then sued the contractor for indemnification. The defendant contractor moved to dismiss, arguing that it had no knowledge that the contract between the plaintiff and its customer required that the plaintiff pay its customer such damages. The plaintiff based its case on the strength of the indemnity provision in its BAA with the defendant contractor and survived the defendant's motion to dismiss.

The US District Court Decision

CVS Pharmacy, Inc. and Caremark Rx LLC (collectively, CVS) provided pharmacy benefit management services to International Business Machines Corporation's (IBM) health plan. In providing such services, CVS's subcontractor (Press America) allegedly mailed incorrect information, including names and prescribed medications, to IBM beneficiaries 41 times. As a result, CVS credited nearly $2 million to IBM in accordance with the terms of CVS's contract with IBM; this amount was calculated as 3% of CVS's annual contract value with IBM multiplied by 41.

In its BAA with CVS, Press America had agreed to:

indemnify and hold harmless CVS and any of its officers, directors, employees, or agents from and against any claim, cause of action, liability, damage, cost, or expense … arising out of or in connection with any breach of the terms of this Agreement, any Breach of Private Information under the control of [Press America] or its agents or subcontractors that requires notification under the HIPAA Rules or state law, or any failure to perform its obligations with respect to Private Information by [Press America], it[s] officers, employees, agents, or any person or entity under [Press America's] direction or control.

Based on this indemnity, CVS requested reimbursement from Press America, but Press America refused. CVS sued Press America, and Press America filed a motion to dismiss, arguing it was not responsible for CVS's payment to IBM. The court denied the motion to dismiss despite:

  • Press America not having any knowledge of CVS's specific contractual obligations and/or liability to IBM and
  • Press America having no right to approve or contest CVS's settlement of its contract claim with IBM (e.g., Press America had no opportunity to argue that the $2 million payment by CVS to IBM was an unenforceable penalty).

With that said, the court left open a number of issues for final adjudication, including whether or not the parties intended the indemnity to cover contracts with third parties. Depending on the result of the litigation, Press America may be liable for the nearly $2 million in damages. Alternatively, Press America may opt to settle to avoid extended litigation. Either way, Press America agreed to a very broad health information related indemnity in a BAA and is now dealing with its very real consequences. As this case illustrates, negotiating the precise wording of the indemnification provision in a BAA and understanding the potential liabilities that may result is critical. In fact, agreeing to broadly indemnify another party may result in significant contractual liability. While the BAA terms may sometimes be viewed as routine, it is essential to review them carefully, because the practical consequences can be severe.

If you have questions about HIPAA, or want to learn more about the HIPAA practice group, contact Michelle DeBarge or Jody Erdfarb.

[1] CVS Pharmacy, Inc., et al. v. Press America, Inc., No. 17 Civ. 190 (S.D.N.Y. Jan. 4, 2018).