Confidentiality, Indemnification, and Business Associates Agreements

Many third-party administrators that process health and welfare claims for plan administrators do not obtain a SOC 1 (SM) report. It may be necessary for the auditor to request access to the third-party administrators' records to test claim transactions in order to obtain sufficient evidence to achieve the audit objectives. In many instances, a third-party administrator will request that the auditor enter into a confidentiality, indemnification, or business associates agreement signed by the auditor, third-party administrator, and plan sponsor relating to the claims testing.

Auditors need to take special care in reviewing these agreements. Often the auditor may not agree with certain language in the agreement, resulting in delays in the audit while mutually agreeable language is determined. Many of the representations are very broad. The agreements generally require that the auditor hold the claim processor harmless from any actual or threatened action arising from the release of information without limitation of liability. In addition, the agreements may require the auditor to hold the client harmless as well. This last indemnification will most likely contradict provisions in the engagement letter between the auditor and the client. Auditors need to keep in mind that the testing of claims at a third-party administrator could be delayed as a result of the request to sign such an agreement and should plan the timing of the audit accordingly. Before entering into any confidentiality agreements, the agreement should be reviewed by the auditors legal counsel. If the auditor is unable to obtain access to records as a result of not signing a confidentiality agreement, a scope limitation could result.