By Greg Waldstreicher, CEO, PHIflow.
Healthcare organizations face unprecedented compliance challenges when it comes to managing business associate agreements (BAAs) amid frequent data breaches, heightened federal scrutiny and anticipated privacy legislation. Actions by the Office for Civil Rights (OCR) have clearly demonstrated stricter enforcement of HIPAA rules in recent years, and the industry has already witnessed a notable uptick in public shaming and fines associated with missing just a single BAA.
In December 2018 alone, OCR announced two notable settlements. Advanced Care Hospitalists (FL) entered into a $500,000 no-fault settlement with OCR, and Pagosa Springs Medical Center (CO) agreed to pay $111,400, both for missing a single BAA.
Simply put, BAAs have become a cornerstone of OCR compliance initiatives. And the outlook is not likely to change as trends point to continued advancement of privacy laws. As of close of 2018, 12 states had already updated their privacy laws regarding notification to patients, shortening the standard 60 days from the federal guidelines to 45 days, and in some states (CO, FL), the breach notification window is down to 30 days.
Breaches involving protected health information (PHI) are typically reported publicly at the Covered Entity (CE) level. When a breach involving a third party, or Business Associate (BA), occurs, one of the first things the federal government investigates is whether a BAA is in place with the CE. If a BAA does not exist, it typically sets off a chain reaction of investigations into other areas of HIPAA compliance.
While most headlines related to BAA compliance relate to CEs, HIPAA experts predict that 2019 will usher in greater focus on BAs and their management of these agreements as well. Many believe that unprepared BAs—especially small and mid-sized companies that lack resources to address HIPAA compliance—will become targets, increasing industry concern over proper BAA compliance.
Healthcare’s BAA management conundrum
Today’s healthcare organizations are feeling the heat, yet most are challenged to effectively manage BAAs due to limited resources for reviewing and managing massive and growing numbers of these agreements—reaching upwards of several thousand in larger organizations and health systems. Exacerbating this challenge is the current consolidation trend, which creates a fragmented landscape for BAA oversight that extends across multiple departments, facilities, affiliations and a multitude of different owners.
Consequently, manual, inconsistent workflows common to BAA management in today’s organizations open the door to significant risk. In truth, the most basic information often eludes the executive suite in most CEs and BAs, including the total number of existing agreements, where they are located and the terms of each.
BAAs are also the subject of intense negotiations between CEs, BAs and other subcontractors that often result in obligations that go beyond HIPAA and HITECH, causing contractual obligations to vary significantly between agreements. Subsequently, when organizations need to know the terms of these agreements, they must manually extract the information one agreement at a time. Within a framework of manual processes, the resources required to conduct this kind of data extraction across hundreds or thousands of BAAs is simply unfeasible for many organizations.
Yet, compliance professionals need quick and easy access to this information to ensure optimal response to breaches, which have become the norm for healthcare organizations as opposed to the exception. Consider the findings of a 2018 Black Book Market Research study: 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five.
A foundation for more efficient, effective BAA management
Automation, and in recent years, artificial intelligence (AI), sit at the top of industry process improvement efforts. And the results have proved significant in terms of advancing healthcare reform initiatives focused on lower costs and better outcomes. For instance, AI is now used to identify cancer sooner, explain lab results and verify insurance information.
The AI revolution is here, and BAA management can easily follow these movements with the right technological infrastructure in place. With automation and AI working together in the same platform, BAs and CEs can automate manual document review, significantly increasing operational efficiencies and reducing costs associated with compliance, regulatory audits, breach preparation and incident response.
Centralized management and real-time access to BAAs—regardless of the number that exist—helps businesses make better-informed decisions by analyzing and aggregating the risks, requirements and rights associated with sharing protected health information (PHI) across a growing number of customers and vendors. Compliance officers and other BAA owners can change these processes by uploading agreements into a cloud-based application where they are saved in a central, intelligent repository. Next, HIPAA-focused AI algorithms instantly analyze each agreement and extract key information to drive actionable, appropriate and more informed oversight for:
- Overall compliance initiatives
- Breach preparation and response
- Data usage rights
- Internal or regulatory audit
- State data privacy law review
- Due diligence
It’s time for the healthcare industry to get its BAA houses in order ahead of increased scrutiny by regulators to avoid potentially devastating penalties. Forward-looking organizations that draw on the promise of automation and AI to navigate the growing BAA compliance challenges created by today’s regulatory environment will be best positioned for compliance success and overall peace of mind.