The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently sued a small healthcare practice. Turns out they didn't have a BAA in place.
Unless you’re a hermit or extreme Luddite, you’ll be familiar with a growing requirement for protection of personal information and especially in areas relating to healthcare. The Health Insurance Portability and Accountability Act (HIPAA) is the compliance standard required by businesses who store Electronic Health Records (EHRs). High security standards are expected and compliance verification is enforced by approved third-party auditors.
Healthcare organizations must be HIPAA-compliant but an often-overlooked part of the HIPAA regulations that is now being enforced on a larger scale is the Business Associate Agreement (BAA). Before focusing on this aspect, in HIPAA-speak, ‘a covered entity’ under HIPAA includes healthcare providers, health plans, and healthcare clearinghouses that process claims.
However, a 'business associate' is a whole other animal and can include companies that may not consider themselves a candidate for HIPAA penalties. These include cloud service providers, providers of mobile apps in the e-health industry, and basically any area where access to personal health information (PHI) is necessary to perform a service or function.
Do I Need a Business Associate Agreement?
In a recent news story on The National Law Review, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) sued a small practice in Chicago. They had to pay $31,000 in damages when one of their service providers (or business associates) shared PHI. It was discovered during the investigation that there was no BAA in place. The offending service provider, FileFax is also accused of allowing employees to discard personal health information (PHI) in a dumpster and is being sued by the Attorney General in a separate suit. As indicated in the story, the key takeaway is that expensive penalties are possible even when a data breach never takes place.
If the alleged offence is true, another takeaway is that the employees were directed to throw PHI in the dumpster, when we all know the risks of carelessly discarded medical data. These risks can include identity theft, especially if combined with financial data, and other crimes. Even a patient’s appointment card could allow criminals the opportunity to burglarize homes or stalk their victims. In any case, is secure disposal really that difficult to accomplish?
In addition, the healthcare provider learned a valuable, if costly lesson. If any service provider is accessing PHI, get a BAA and make sure that the provider is also following the HIPAA security recommendations for storing and managing the data correctly.
Even if you are performing a data recovery service, for example, I imagine you would need one, as data access is necessary to recover information. As a service provider with healthcare clients, if you are unsure if you need a BAA, then ask advice from a healthcare attorney. I do know that outsourced services such as transcription, cloud services and mobile apps (where data is viewed, shared and updated) must certainly obtain a BAA for healthcare clients. What about ISPs? No idea, still reeling from the recent changes in U.S. legislation but logically they should have a BAA. Does HIPAA prevent ISPs from monetizing PHI on their networks. It should, but who knows?
What a HIPPA BAA Must Contain
Okay, so you’ve determined you need a BAA, as your clients include HIPAA-compliant ‘entities’. Now what? What are your obligations? In my opinion, little more than what is necessary to secure important data in any modern business. You just need to make it official by having the agreement in place, as it confirms you are prepared to handle PHI according to HIPAA guidelines.
Note: Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, a business associate’s handling and use of PHI must comply with both the HIPAA Security Rule and HIPAA Privacy Rule specifications. These include but are not limited to:
All HIPAA BAA’s must include a specific description of how the business associate can use PHI.
The business agrees to refrain from using or disclosing PHI in ways other than allowed in the contract or in compliance with state and federal law.
The BA will use appropriate safeguards to secure PHI. An example of an appropriate safeguard would be using a secure managed file transfer tool.
If a data breach occurs, the covered entity must assist the business associate in resolving it, informing those affected and solving the issue. If this is not possible, the agreement is terminated with the business associate.
If terminating the agreement is not possible, the covered entity reports the problem to the OCR.
A covered entity is obligated to report all breaches as discovered, even if caused by a subcontractor. Details of response methods to the breach are required.
Business associates must indicate how they would handle an OCR investigation in the event of a breach.
Evaluate and Reduce Compliance Risk
In conclusion, when many of the requirements in a HIPAA BAA are covered in typical cybersecurity and disaster recovery plans or policies, any reluctance to take on healthcare clients is only applicable if your existing security posture is weak. Taking on healthcare clients (if PHI is stored, accessed or shared for whatever reason) is a mistake without a BAA, as indicated by the previous $31,000 example.
Remember that it is best to be protected against litigation and that HIPAA enforcement is stronger than ever, with some penalties in the millions. Have you performed a risk management study to confirm HIPAA compliance as a business associate or indeed as an ‘entity’? While I don’t recommend all the latest tech (smart toasters for example), it is certainly worth using automated solutions to ensure data traffic remains secure, encrypted and HiPAA-compliant, given the alternative where data breaches and regulatory penalties cost you money.