Healthcare organizations face unprecedented compliance challenges when it comes to managing business associate agreements (BAAs) amid frequent data breaches, heightened federal scrutiny and anticipated privacy legislation. Actions by the Office for Civil Rights (OCR) have clearly demonstrated stricter enforcement of HIPAA rules in recent years, and the industry has already witnessed a notable uptick in public shaming and fines associated with missing just a single BAA.
In December 2018 alone, OCR announced two notable settlements. Advanced Care Hospitalists (FL) entered into a $500,000 no-fault settlement with OCR, and Pagosa Springs Medical Center (CO) agreed to pay $111,400, both for missing a single BAA.
Simply put, BAAs have become a cornerstone of OCR compliance initiatives. And the outlook is not likely to change as trends point to continued advancement of privacy laws. As of close of 2018, 12 states had already updated their privacy laws regarding notification to patients, shortening the standard 60 days from the federal guidelines to 45 days, and in some states (CO, FL), the breach notification window is down to 30 days.
Breaches involving protected health information (PHI) are typically reported publicly at the Covered Entity (CE) level. When a breach involving a third party, or Business Associate (BA), occurs, one of the first things the federal government investigates is whether a BAA is in place with the CE. If a BAA does not exist, it typically sets off a chain reaction of investigations into other areas of HIPAA compliance.
While most headlines related to BAA compliance relate to CEs, HIPAA experts predict that 2019 will usher in greater focus on BAs and their management of these agreements as well. Many believe that unprepared BAs—especially small and mid-sized companies that lack resources to address HIPAA compliance—will become targets, increasing industry concern over proper BAA compliance.
Healthcare’s BAA management conundrum
Today’s healthcare organizations are feeling the heat, yet most are challenged to effectively manage BAAs due to limited resources for reviewing and managing massive and growing numbers of these agreements—reaching upwards of several thousand in larger organizations and health systems. Exacerbating this challenge is the current consolidation trend, which creates a fragmented landscape for BAA oversight that extends across multiple departments, facilities, affiliations and a multitude of different owners.
Consequently, manual, inconsistent workflows common to BAA management in today’s organizations open the door to significant risk. In truth, the most basic information often eludes the executive suite in most CEs and BAs, including the total number of existing agreements, where they are located and the terms of each.
BAAs are also the subject of intense negotiations between CEs, BAs and other subcontractors that often result in obligations that go beyond HIPAA and HITECH, causing contractual obligations to vary significantly between agreements. Subsequently, when organizations need to know the terms of these agreements, they must manually extract the information one agreement at a time. Within a framework of manual processes, the resources required to conduct this kind of data extraction across hundreds or thousands of BAAs is simply unfeasible for many organizations.
Yet, compliance professionals need quick and easy access to this information to ensure optimal response to breaches, which have become the norm for healthcare organizations as opposed to the exception. Consider the findings of a 2018 Black Book Market Research study: 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five.
The Health Insurance Portability and Accountability Act (HIPAA) is US legislation that was signed into law by President Bill Clinton in 1996. This law, enacted through regulations overseen by the Department of Health and Human Services (HHS), sets rules for the protection of healthcare information (called protected health information, or PHI) and the ability to maintain coverage when your employment changes. One of the core elements of HIPAA is the protection of electronic protected health information (ePHI) through physical, technical, disciplinary and administrative defenses.
HIPAA applies to two types of organizations, covered entities and business associates. While covered entities are organizations involved in healthcare payment, operations, and treatment, business associates are institutions that process patient data in the course of performing services for covered entities and their business associates. Companies within both of these categories need HIPAA-compliant storage and to generally follow the parameters established by the HHS.
Look to the Security Rule for guidance
Your primary consideration when you are considering HIPAA storage is the Security Rule, which includes physical, administrative and technical protections that should be used to prevent unauthorized access. Following the Security Rule requires organizations to do the following:
Verify that the electronic health records they produce, receive, store, or send are all strongly available, with their integrity and privacy maintained.
Determine and set up defenses against threats to the data that are reasonably anticipated.
Set up protections to prevent use or disclosure that is not allowed and is reasonably foreseen.
Be certain that your employees are following compliance guidelines.
The Security Rule is written in flexible language, with parameters that need to be met but no specific steps forward. That looseness of language, per the agency, is intended to allow individual organizations to come up with their own solutions based on the scope and nature of their institution.
Essential HIPAA-compliant storage safeguards
Here are the specific ePHI safeguards you need, whether internally or through an organization you contract, across the three Security Rule categories:
Technical safeguards
Transmission security – A HIPAA-compliant organization needs to deploy technical security mechanisms that keep nefarious parties from being able to unlawfully access health records that are being sent through the network.
Access controls – Companies must enact technical policy and procedure documents that outline rules for access to electronic health records.
Integrity control – To maintain HIPAA compliance, an organization must develop policies and procedures intended to prevent the manipulation or destruction of health data. Plus, there should be tools implemented to verify that information alteration or elimination is not occurring.
Audit controls – For any systems that hold or utilize electronic health data, institutions have to set up software, equipment, and process elements to log and analyze access and the related activities by users.
Physical safeguards
Workstation and device protections – Access to and use of electronic media and workstations should be governed by policies and procedures developed by the organization. A HIPAA-compliant company should have official policies and procedures related to how electronic media is moved, reused, decommissioned, and discarded.
Facility access – Institutions should verify that physical access to their data center is limited to authorized parties.
Administrative safeguards
Assessment – A HIPAA-compliant company has to routinely evaluate the extent to which its policies and procedures are aligned with the Security Rule.
Security point-person – There should be a designated security officer who creates and launches policy and procedure documents.
Staff management and training – There should be proper authorization and oversight of any staff members who handle patient data. All members of your workforce should have security training, and there must be consequences when anyone disregards the official guidelines.
Data access management – Follow the Privacy Rule’s principle of “minimum necessary” related to the use and disclosure of health data. The Security Rule mandates that the policies and procedures used by a HIPAA-compliant organization should only allow an individual to access data when their role gives them that permission (called role-based access).
Security management – To achieve HIPAA compliance, a company must identify risks and take steps to mitigate them. Risk analysis is critical because it will impact all the above efforts, so it is discussed in its own section below.
Risk analysis and management
All HIPAA compliant storage should be assessed for any risks on a regular basis. Here is how you move forward:
Assess risks to the data, potential results of related attacks, and how likely they are to occur.
Set up security protections against the risks discovered.
Record the security steps that are taken and why they were taken (as relevant).
Set up and support ongoing, appropriate, and reasonable safeguards.
Cloud providers and importance of the BAA
Many organizations work with outside parties to protect their ePHI. The Healthcare Industry Cybersecurity Task Force (HCIC) released a 2017 report of healthcare cybersecurity recommendations that addressed cloud relationships. One key point was to embrace cloud service providers, especially if your organization is smaller, since “smaller healthcare organizations often do not have the resources to fully staff a credible cybersecurity group.”
While cloud may make sense, the business associate agreement is critical to relationships with third parties. While you still must carefully vet these organizations, the BAA establishes responsibility for all aspects of the handling of the information that might otherwise be unclear.
Cloud security may now be stronger than at the typical traditional data center, but the risk still must be addressed. The essential nature of the BAA is underscored in the HHS’s “Guidance on HIPAA & Cloud Computing.”
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
Guest post by Travis Good, M.D., CEO and co-founder of Catalyze, Inc.
Even if a bit delayed, the power and value of cloud-based technologies is starting to seep into healthcare. With each new cloud-based technology piloted or taken to scale by a healthcare organization, other institutions and corporations become more willing to roll the dice on deploying cloud-based technology. While still slow, it is happening, but not where you may think. Instead of found in the typical core applications of EHR or practice management systems, we find cloud-based technologies being introduced into the innovative health technology areas of virtual care delivery and patient self-reporting. Those areas are breaking down the barriers to cloud adoption in healthcare and that pace is increasing.
Cloud-based technology acceptance, along with everything else in the healthcare industry is moving faster than ever before. Accountable care, bundled payments, patient satisfaction, continuous care and the consumerization of healthcare are catalyzing changes to a very large, slow moving, highly regulated and risk averse industry. Technology and technology enabled services are essential for riding out these waves of change.
Every healthcare segment has seen these paradigm shifts and is trying to carve out a piece of the new pie. Large medical centers and health systems want to commercialize tools created in-house. Payers are building technology geared toward new forms of care delivery and price transparency, while biopharma is building technology to deliver continuous care powered by data from its core products – devices and medicines. All three of these healthcare segments can build technologies that utilize cloud computing and thus reap the following benefits:
A more nimble organization
Consumption of only the resources needed
Access to technology and apps across geographic barriers
Compliance and Cloud Computing
With recent changes to HIPAA that went into affect as part of the HITECH and HIPAA Omnibus Rule in 2013, a surge in compliance interest has developed, especially with compliance as it relates to cloud computing. The HIPAA Omnibus Rule created a new segment within the string of compliance leading back to covered entities. The new “subcontractor” segment is something of which every healthcare compliance officer must be aware. In much the same way as a business associate processes, transmits or stores ePHI for a “covered entity,” a subcontractor will also process, transmit, or store ePHI for “business associates.” And, subcontractors, like business associates, are required to sign business associate agreements (BAAs). These agreements outline the obligations of each party in meeting different aspects of HIPAA compliance rules, and delegate the risk based on different types of possible ePHI breaches.
In creating this new “subcontractor” entity, the Omnibus Rule accounted for the paradigm shift in technology development and cloud computing. The most commonly used example of a subcontractor is found in a cloud hosting provider like Amazon (AWS) or Rackspace; yet, many other types of services exist that could be considered subcontractors.
As data and services are being accessed via Web services (typically APIs), a huge number of BLANK-as-a-Service offerings have emerged. Many modern applications utilize third-party APIs for features and functionality to speed time-to-market, while adding value to users. Using simple to consume APIs, modern applications can tap into databases, messaging (SMS, Push, email or voice), usage metrics, logging, customer support, data sources, backup and so forth.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.