The Uniform Commercial Code and Its Relation to Hardware, Software, and Related Services Used by Healthcare Sector Participants
Date Posted: Thursday,
February 22, 2024
As set forth in 45 CFR § 164.502(a)(3), a business associate may not utilize protected health information (PHI) in any way that would violate the Health Information Portability and Accountability Act of 1996 (HIPAA) and the related Privacy Rule. But what if a covered entity contracts with a business associate that provides technology managed services – specifically related to the maintenance and/or transmission of PHI, utilizing a combination of hardware, software, and related services – and a payment dispute arises? As the Department of Health and Human Services (HHS) has stated, it is improper for a business associate to simply "activate a 'kill switch' embedded in its software that renders the data inaccessible to its provider client to resolve the payment dispute."
Given that the business associate and the covered entity have an agreement for the business associate to provide services, what options does a business associate have when a covered entity fails to pay? First, I suggest giving a prescribed period of time to correct the issue after the first delinquent invoice. For example, if the person does not pay within the prescribed timeframe set by the contract, then a 30-day period will begin whereby the covered entity pays or, as should be defined in the business associate agreement (BAA), the business associate returns the data. Covered entities have their own obligations for ensuring the availability of its PHI and being compliant with 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1).
Another step which may be taken (and this is not limited to just healthcare sector providers) is the ability of the business associate to file what is known as a UCC (Uniform Commercial Code) lien with a respective state's Secretary of State. This is not a tool that should be utilized on a whim, and specific state laws need to be considered. What is the UCC? It is "a comprehensive set of laws governing all commercial transactions in the United States. It is not a federal law, but a uniformly adopted state law. Uniformity of law is essential in this area for the interstate transaction of business." In Texas for example, the UCC "allows a creditor … to notify other creditors about a debtor's assets used as collateral for a secured transaction." As set forth below, this does not mean that a physical item is required or a bank loan statement. Contracts often give a party the ability to exercise its right to file a UCC lien, as long as the parameters of the law are met.
Hypothetical Analysis
For example, a covered entity uses enterprise grade software to create a solution for each customer. Additionally, its services are tied directly to software, which courts have held to include cloud services, such as software-as-a-service ("SaaS"). Marquette University v. Kuali, Inc. (584 F.Supp.3d 720, 724 [2022]), is instructive: "Although all software is intangible, it is on some level movable in the sense that it can be transferred from one medium to another. In light of the compelling weight of authority accepting that software is a good under the UCC, it is easy to conclude that the software underlying Kuali Research Cloud was a good" (Id. at 724).
Traditionally, courts viewed all software as a good because it usually came in a box or was housed in a floppy disk or CD-ROM. See Graham Packaging Co., LP v. Com. (882 A.2d 1076, 1087 [PA Commonwealth Court, 2005]), comparing custom software to "canned" or "off-the-shelf" software. Some courts still treat all software as a good. In D.P. Tech. Corp. v. Sherwood Tool, Inc. (751 F. Supp. 1038 [D. Conn., 1990]), holding a contract for hardware, software, installation, and training was a contract for goods under the UCC, even when the computer system was "'specifically' designed for the plaintiff and not readily marketable"; see also Advent Sys. Ltd. v. Unisys Corp. (925 F.2d 670, 675-76 [3rd Cir., 1991]). A recent Southern District of Texas case, Equistar Chemicals, L.P. v. Indeck Power Equipment Company (2020 WL 4746469, n. 7 [citing Advent Sys. Ltd.]) is notable because it involved both the term "product," source codes, and licenses. A business associate transfers the licenses to and is, in essence, an agent for its customers in procuring the software licenses and providing related support of the software.
In conclusion, many courts, including those in Texas, have held that as long as a "good" is the predominant factor, then the services are also covered under the UCC. As articulated above, cloud computing (SaaS) services have been held to be goods.
Conclusion
In sum, in certain circumstances, business associates may have another option of getting paid when a covered entity defaults. It is important that each situation is evaluated individually, that the contractual language is considered, and the state's adoption of the UCC is consulted.
Rachel V. Rose, JD, MBA, is an Attorney at Law in Houston, TX. Rachel advises clients on healthcare, cybersecurity, securities law, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Healthcare) and to the National Women Trial Lawyer's Top 25. She can be reached at rvrose@rvrose.com. www.rvrose.com