REPORT/RECOMMENDATION TO THE BOARD OF SUPERVISORS
OF SAN BERNARDINO COUNTY
AND RECORD OF ACTION
May 19, 2026
FROM
ANDREW GOLDFRACH, ARMC Chief Executive Officer, Arrowhead Regional Medical Center
SUBJECT
Title
Approve Business Associate Agreement with Becton Dickinson and Company
End
RECOMMENDATION(S)
Recommendation
Approve non-financial Business Associate Agreement with Becton, Dickinson, and Company, including non-standard terms, to safeguard the confidentiality of patient protected health information, effective from May 19, 2026 through August 19, 2029.
(Presenter: Andrew Goldfrach, ARMC Chief Executive Officer, 580-6150)
Body
COUNTY AND CHIEF EXECUTIVE OFFICER GOALS & OBJECTIVES
Provide for the Safety, Health and Social Service Needs of County Residents.
FINANCIAL IMPACT
Approval of this item will not result in the use of Discretionary General Funding (Net County Cost) as this Business Associate Agreement (BAA) with Becton, Dickinson, and Company (Becton) is non-financial in nature.
BACKGROUND INFORMATION
On August 20, 2024 Item (No. 19), the Board of Supervisors approved Agreement No. 24-753, with Becton, including non-standard terms, for the BD BACTEC FX Culture System (System), accessories, consumables, software, service and training in the amount not-to-exceed $1,3000,000, for the period of August 20, 2024 through August 19, 2029. This system analyzes patient specimens and may require Becton to access, use, or transmit protected health information (PHI), necessitating the recommended BAA.
Approval of the BAA with Becton will ensure that Becton protects the confidentiality of PHI of patients at ARMC. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities (such as ARMC) that contract with a service provider that maintains, uses, accesses, or transmits PHI are required to enter into a BAA. The purpose of a BAA is to set clear obligations for safeguarding that information, limiting its use and disclosure, and requiring appropriate security, breach reporting, and compliance measures. In healthcare, BAAs are important because they extend privacy and security protections to the broader network of service providers-such as billing companies, cloud hosts, and analytics vendors-who may access patient data. As a core element of HIPAA compliance, a BAA documents each party’s responsibilities, helps ensure administrative, physical, and technical safeguards are in place, and provides accountability through terms addressing subcontractors, incident response, and termination for noncompliance.
The BAA is Becton’s standard commercial BAA, negotiated by the parties which significantly deviate from the standard County BAA as follows:
1. Becton must report a breach of PHI within ten calendar days.
• The standard County BAA requires contractors to report suspected and actual breaches within one business day.
• Potential Impact: The County will not receive notification of suspected breaches. Additionally, Becton has up to 10 calendar days to provide notice to the County. This means that the County will have to comply with its legal reporting obligations to regulatory agencies and less time to mitigate against harm associated with a breach.
2. The County agrees to indemnify Becton for any claims that are directly caused by the County’s breach of the BAA, a breach of unsecured PHI due to the acts or omissions of the County, or the County’s failure to comply with HIPAA.
• The County standard BAA does not include any indemnification or defense by the County of a contractor.
• Potential Impact: By agreeing to indemnify Becton, the County could be contractually waiving the protection of sovereign immunity. Claims that may otherwise be barred against the County, time limited, or expense limited could be brought against Becton without such limitations and the County could be responsible to defend and reimburse Becton for costs, expenses, and damages.
3. Becton limits its indemnity obligation to claims that are directly caused by its breach of the BAA, a breach of unsecured PHI due to its acts or omissions, or its County’s failure to comply with HIPAA.
• The County standard BAA requires the contractor to indemnify the County from all claims that are caused by or result from the acts or omissions of the contractor, its officers, employees, agents and subcontractors, with respect to the use, access, maintenance or disclosure of PHI, including without limitation, any breach of PHI or any expenses incurred by the County in providing required breach notifications under federal and state laws.
• Potential Impact: Becton’s indemnity obligation is more limited compared to the standard County BAA indemnity obligation. In the event a claim arises that falls outside the scope of Becton’s limited indemnity obligation, the County could be financially responsible for the defense of the claim and any resulting judgment/settlement.
4. Becton is not required to make itself, its employees, or subcontractors available to the County, at no cost to the County, to testify as witnesses or otherwise be available to assist the County involving a claimed violation of HIPAA.
• The County standard BAA requires the contractor to make itself, its employees, and subcontractors available to assist the County in claimed violations of HIPAA at no cost to the County.
• Potential Impact: In the event there is a claimed violation of HIPAA and Becton’s employees or subcontractors has information that may be relevant to the County’s defense, the County may be required to pay corresponding witness fees that it might not otherwise be required to pay with the standard County provision in the BAA.
5. Except for indemnification claims or claims based on fraud, gross negligence, or willful misconduct, Becton disclaims liability for consequential, indirect, special, punitive, exemplary or incidental damages. Becton also limits its liability to the greater of $1,000,000 or two times the fees paid by the County under Agreement No. 24-753 in the twelve months preceding the event that gave rise to the claim.
• The standard County BAA does not include a limitation of liability.
• Potential Impact: Claims could exceed the liability cap and the BAA amount leaving the County financially liable for the excess
ARMC recommends approval of the BAA, including the non-standard terms, as it will enable the hospital to provide for the safety, health and social needs of County residents by protecting patient information.
PROCUREMENT
Not applicable.
REVIEW BY OTHERS
This item has been reviewed by County Counsel (Charles Phan, Supervising Deputy County Counsel, 387-5487) on April 14, 2026; Risk Management (Stephanie Pacheco, Staff Analyst II, 386-90) on April 20, 2026; ARMC Finance (Chen Wu, Finance and Budget Officer, 580-3165) on April 27, 2026; and County Finance and Administration (Jenny Yang, Administrative Analyst, 387-4884) on April 27, 2026.