Archive for June, 2013

SaaS Agreements – Data Protection – HIPAA

On January 25th 2013, the US Department of Health and Human Services modified the rules of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”). HIPAA applies to any SaaS suppliers who process protected health information (“PHI”) on behalf of customers to whom the Act applies, regardless of whether or not the SaaS supplier is located in the USA.


HIPAA is a US law that places security and privacy obligations on “covered entities” in the health care field e.g. SaaS customers who are health care providers. If you are a SaaS supplier who processes PHI on behalf of a covered entity you will also be subject to the provisions of HIPAA, if you are a “business associate”.

A SaaS supplier is a “business associate” under HIPAA if it “creates, receives, maintains, or transmits” PHI even if it does not view the PHI or only does so on a random or infrequent basis. Also, any subcontractor i.e. the data centre of the SaaS supplier will be a business associate for the same reason.

Business Associates

The importance of being a business associate is that it is now mandatory for SaaS Suppliers, who are business associates to include terms covering their privacy and security obligations under HIPAA in their SaaS agreements with customers. Also, SaaS suppliers are now directly liable for breaches of HIPAA’s security and privacy rules, which includes failing to cooperate with DHHS investigations of HIPAA breaches.

Liability is strict i.e. a SaaS supplier will be liable regardless of its intent. The penalties for breach are severe and can be up to 1.5 million dollars for all breaches in any calendar year.

How to Comply with HIPAA

SaaS suppliers cannot ensure that their SaaS customers comply with HIPAA as they have no control or sometimes do not even know what data users are uploading and what particular regulatory requirements apply to users and their data, especially where users are located outside of the UK or are subject to industry specific regulations.

Therefore if you are a SaaS supplier offering SaaS services to the US health care and insurance sector and your customers are subject to HIPAA you should:

  • Consider amending the design of your SaaS software to make it more appropriate for dealing with PHI and to support compliance with HIPAA obligations;
  • Try to physically prohibit PHI from being uploaded into and stored on your SaaS system;
  • Include clauses in your SaaS agreement which prohibit SaaS customers from uploading PHI;
  • Include a SaaS customer indemnity in your SaaS agreement to protect you against any claims for breaches of HIPAA;

By drafting standard business associate clauses for inclusion in your SaaS agreement with customers and your agreements with relevant subcontractors you may be able to limit your liability for breaches of HIPAA and avoid your customers trying to impose their own more onerous clauses upon you.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:


SaaS Agreements – FAQs – Applicable Law and Jurisdiction

It is important to understand the difference between applicable law and jurisdiction when negotiating a SaaS agreement. Applicable law specifies which country’s laws will apply to your SaaS agreement. Jurisdiction specifies which courts will have authority to deal with a dispute. Usually a UK SaaS agreement will specify the laws of England and Wales as the applicable law and the courts of England will have jurisdiction.

English or Scottish Law

Many SaaS suppliers are not aware that two legal systems exist in the UK. English law and Scottish law and each has its own courts. English law and Scottish are not the same and it is important to specify which law applies and which courts should have jurisdiction as there is no such thing as “UK law” or “UK courts”.

Other Laws

If you are a SaaS supplier used to dealing with customers located outside of the UK, you will be familiar with SaaS customers insisting on their local law applying to your SaaS agreement. Many SaaS suppliers agree to this by simply removing “English law” from the SaaS agreement and replacing it with, for example, “laws of Delaware” unaware of the consequences this will have upon their SaaS terms and conditions.

Consequences of Changing the Applicable Law

By changing the law applicable to your SaaS agreement you may automatically invalidate many of the limitations on liability contained in your SaaS agreement. You may also become liable for types of damages that you thought were excluded in your SaaS agreement, i.e. direct damages, indirect damages, typically foreseeable damages, or punitive damages, as in some countries liability cannot be limited for these types of damages, or the local understanding of what types of losses fall within these areas may differ from English law.

This could also result in you becoming subject to local laws applicable to consumer contracts, even though you are contracting with a business. For example, in France if you enter into a SaaS agreement with a business not operating in your business sector, your SaaS customer will be a consumer and will be protected by local consumer protection laws. i.e. with rights to refunds.

By agreeing to a change of law in your SaaS agreement you may also unknowingly grant customers new rights that do not exist under English law. For example, if you agree to a change to German law under mandatory German law a customer can lower the price it pays for the SaaS services if the service is defective.


If you agree to change the applicable law when negotiating your SaaS agreement you should also consider changing the country in which the courts are located that will deal with any disputes i.e. French law and the courts of Paris.


You should also specify in the SaaS agreement in which language disputes should be dealt with. If you do not speak or understand the local language of your customer you should state that all disputes must be dealt with in English. This is particularly important if the SaaS agreement has been translated into your customer’s local language. In this case you should state that the English version of the SaaS agreement will prevail if there is a discrepancy between the two versions.

Legal Costs

Also do not forget that the local rules on the amount of costs that a court can order the losing party to pay the winning party can vary substantially. In some jurisdictions and in some areas of law, no costs are recoverable at all by a winning party.


For the above reasons when considering SaaS customer requests to change the applicable law or jurisdiction in your SaaS agreement it is essential that you understand the difference between applicable law and jurisdiction and the implications of changing these.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

SaaS Agreements – Dealing with Late Payment or Non-payment of Invoices

In the current economic climate, SaaS customers often delay payment of invoices. In order to protect your SaaS business and improve your cash flow, you should consider including the following in the terms of your SaaS agreement.

Right to Claim Interest

There is no requirement to have an interest clause in your SaaS agreement, as you have a statutory right to claim interest on late payments from a business customer (BTB) under the Late Payment of Commercial Debts (Interest) Act 1998 (“Act”). The statutory interest rate to be applied is the applicable Bank of England Base Rate + 8%.

Alternatively you can specify a specific interest rate in your SaaS agreement. This can be a number i.e. 7%, or a reference to an index i.e. the European Central Bank base rate, or a combination of both i.e. the Bank of England base rate + 2%. The interest rate specified can be higher or lower than the statutory rate. Note that if you specify an interest rate in your SaaS agreement, the  statutory rate will not apply, even if the interest rate you specify is lower than the statutory rate.

SaaS suppliers should therefore consider the following when deciding whether or not to include an interest clause and specific interest rate in the terms of their SaaS agreement.

  • By specifying an interest rate in your SaaS agreement you are inviting a business customer to negotiate a lower rate. If you have a weaker bargaining position, you may have to agree to a rate much lower than 8.5%;
  • Time and money could be wasted on protracted negotiations on which index to use and the % rate applicable;
  • Many SaaS customers are not aware that you have a mandatory right to claim interest on late payment and that the statutory rate will apply.

Right to Claim Compensation

In addition to claiming statutory interest from a SaaS customer, under the Act you are also entitled to a fixed amount of compensation. The amount is based upon the amount of the outstanding invoice:

  • £40 – for debts less than £1,000;
  • £70 – for debts between £1,000 to £9,999; and
  • £100 – for debts over £10,000.

Recovery of Costs

Since the 16th of March 2013 SaaS suppliers have the additional right to claim the difference between the  fixed compensation amount and their reasonable costs in recovering the debt e.g. appointing a debt recovery company or lawyer. However this right only applies to debts accrued after the 16th of March 2013.

Right to Terminate or Suspend SaaS Services

If a SaaS customer fails to pay you on time this will be in breach of contract – but not a fundamental breach (which permits you to terminate the SaaS agreement and claim damages). SaaS supplier’s should therefore state in their SaaS terms and conditions that “time is of the essence” for all payments. If the SaaS customer then fails to pay  on time you can terminate the SaaS agreement immediately without notice and claim compensation. However many SaaS customers will not agree to time being of essence.

Alternatively you could include the following specific rights in the SaaS agreement to achieve the same  result:

  • the right of the SaaS supplier to terminate the SaaS agreement for late or non-payment; and/or
  • the right of the SaaS supplier to suspend delivery of the SaaS Services until payment is received.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.