Business Associates and required BAAs are discussed often but not resolved quickly. Let’s talk about some ideas and issues that go with BAAs.



Kardon Compliance


Who is a BA?

  • A business partner who provides a service to a CE or BA that requires them to CReMaT PHI.
    • Anyone with persistent access to ePHI whether they do anything with it or not is irrelevant – the fact that they CAN do things is what matters.
  • Complexity is increasing
    • Dietitians at hospital needs info on the scripts for the diet but the employer never stores, accesses, or has persistent access to it but the workforce needs to see it. CE should train them on Privacy rules.
      BA means it is not your data but you have it or have access to it from the owner of CE.
    • Medical director could be a BA or could be workforce member depending on the contract they have with the employer.
  • ACO formed by hospital as a completely separate legal entity
    • But the ACO is staffed by hospital employees
    • Plus the hospital provides IT services to the ACO legal entity
    • Now that would make the hospital a BA of the ACO which is really the hospital.
      • So, the hospital is a BA to itself
  • Maintaining PHI vs. maintaining facilities with PHI
    • Data center where you store your servers. Are they a BA?
      • NO. They are just the landlord for your server – so they aren’t a BA
      • YES. Physical, Administrative, Technical Safeguards are used to protect it, though
        • You are outsourcing part of your obligations because they are doing a all of the physical safeguards for you so you should make them a BA
    • Can be argued both ways but 2 out of 3 lawyers said BA plus a poll of room says they are a BA not just a landlord
      • BCBS of TN left drives at old office and landlord was securing the site
        • Why is there was no BAA if that is the case was the OCR response
        • Resolution didn’t mention the BA argument but it was an expensive fine that clearly showed the OCR lawyers didn’t see they were protected sitting in a closet of the facility you used to lease.
  • If you sell server space and store encrypted PHI you are a BA under current guidance.
    • Many will argue this point though.
    • You have to be prepared to decide for yourself
  • Even if you don’t treat them like a BA, then you should have an agreement of some sort that protects the PHI
  • OCR working on Cloud Computing Guidance
    • Security Rule from early in this century couldn’t really consider all the things that are done today
    • Before cloud computing when everyone has their own servers in their offices or owned huge data centers
  • You can’t just counter this issue with making everyone sign a BAA, though.
    • Bad for the business that signs them and either fails to comply or does the work they may not need to be doing.
    • Bad for you because you are managing contracts that don’t need to be managed and opening up cans of worms we haven’t even found yet.
    • Make a decision about your business and be prepared to explain your logic
  • If you are doing the work of a BA you are still a BA without signing a BAA

Included in BAA

  • We are not lawyers but we are talking about the contracts just a little bit here
    • Ask your attorney for advice on this stuff, don’t relay on us or any other consultant for that advice
    • Also, get a HIPAA attorney – not a tax attorney
  • You should be reading these things, not just sign them
  • Indemnification can be included and you need to know what you are committing to
  • Insurance requirements
    • Yours, mine, ours for cybersecurity
    • What does it really cover – not just if you have it
    • New complexity to negotiations because you don’t cover a max level that your big groups need
  • State law requirements
  • 60 days – how far down the BA tail could it go with 60 days to notify
    • Shorten the days but not too short
    • But give them time to figure stuff out unless you want to know about incidents that turn out to be ok
  • Breach notification responsibilities
    • Can the BA notify a huge number of people within 60 days
      • do they even have the resources to make that happen?
  • De-identification of PHI clause is there to prevent selling of data
    • They don’t have to take out the doctor’s name if they take out all other PHI
      • That means some of your valuable info could end up in a file that gets sold because it has no PHI in it.
  • Indemnification
    • What liability limits are you going to include
    • If I am acting reasonable then I shouldn’t have to bear the whole burden but if I am reckless then it is fair to put most of the burden on you
  • The Security Rule may not go far enough but you can up the ante in your agreements
    • Should you require encryption be used both at rest and in transit
    • Agreements may start to specify exactly what security standards you must adopt which creates new problems

Assessing BAs

  • I have a BAA so I don’t have to worry – not a good idea
  • Does HIPAA even apply if they are off shore?
    • US Law doesn’t apply in other countries – do you know where your PHI really lives?
  • CE is not responsible for acts of BA with a signed BAA but
    • If you are aware of a pattern of non-compliance then you would be liable
    • How much do you want to be unaware of vs aware of in advance of a problem happening
  • What PHI are you talking about is key in assessing each situation
    • Medical only
    • Demographics
    • SSN and Credit Cards
    • Is it mental health, domestic abuse, STDs, etc with special limitations
  • Just because you have SAS70, SSAE16, or SOC 1, 2, or 3 assessment doesn’t mean it was a good assessment nor does it mean that it covers what you need covered for HIPAA
    • Does provide a benchmark but that isn’t necessarily enough for HIPAA
  • A sophisticated BA questionnaire is where most CEs are moving until standards are made more specific
    • Provides more specifics about the compliance programs
      • Training
      • Who is really in charge for you to deal with in a crisis
  • Do you audit the BA after the fact?
    • Once you learn problems you have to deal with them
    • Would you rather know or not know, that is the question
  • Easiest / Quickest way to know is just let the tech geeks talk to each other and form their own opinions of what is happening
    • Let us handle the questions to ask
    • We have to deal with each other any way
    • No one else really understands
  • If you are a BA then have something you can show the CE/BA clients proactively before they ask