Who is a Business Associate?A funny thing happened.  We got a great note from a listener who asked if we would do an episode on who is a Business Associate.  We both thought that odd since we know we have done one of those.  Well, yes we have.  In episode 2 way back in 2015.  Wow!  So, maybe there is more we have to add to that topic in 2019 after 214 other episodes.  Today, let’s talk about how to determine who is your Business Associates.

Who is a Business Associate?

This topic is really frustrating for both of us.  Too many times we have people come to us saying their XYZ vendor says they are not a BA and will not sign a BAA.  OMG, the number of times we have dealt with this – insert rant here.

Let’s get one thing out right off the bat.  If you do NOT sign a business associate agreement (BAA) it DOES NOT mean you are not a business associate.  If you do the work that makes you a business associate then you ARE a BA with or without an official agreement in place.  The only thing it means is that you are willfully neglecting your obligation to comply.  You are violating HIPAA requirements every day you do your work without an agreement in place.  You are also making your clients be in violation every day you are doing your work.

Who is a business associate, really?

Anyone that provides a service to a CE or another BA and the work they do requires them to have persistent access to PHI in order to do that job.  The jobs fall under the Create, Receive, Maintain and Transmit list we talk about.

If you CReMaT PHI for a CE or BA then you are a BA and responsible for the CIA of all of the PHI you have access to in order to do your job.

What kinds of vendors are Business Associates?

We have a long list of folks we usually try to go through to determine who is a BA.  Here are a few of them.

    • MSPs
    • Shredding companies
    • Billing companies
    • Collections companies
    • Translation companies
    • Transcription companies

Sometimes you have to get into the details of the relationship and business services or data involved.

    • Accounting firms – maybe
    • Law firms – maybe
    • Software vendors – maybe
    • Cloud services – maybe

There are some cases for research you may be able to do a limited data set with a data use agreement without a BAA required.

The important thing is to take the time and evaluate vendors instead of making assumptions.  You must understand the business relationship and the services provided.  Sometimes a CE is a BA of another CE.

What do I do if my vendor says they are not a Business Associate?

On the Kardon website, we have a few nice little wizards.  No strings attached to use them.  Send them there to complete the wizard.  There is also one for you to use called Is my vendor a BA.  Try that out if you think they might help.

The bottom line is that you have only a few options here.  You get them to do what is right, you find another vendor, or you report them to HHS.  There isn’t a lot else you can do in these cases.

I will also say clearly here that if you go through this process and they finally sign a BAA and claim they are going to comply with their obligations, you better vet them.  Don’t take their word for it.  They will do a few things here and there that they download from the internet.  They will make all staff watch a 15-minute video and they are done.  If you are a check-the-box compliance person that is fine.  Just get them to do it too.

But, if you take privacy and security seriously it doesn’t work.  If you are working hard to make sure your staff is trained and your policies and procedures are effective and audited, your BA slacking off can make all of your work for naught.  Let’s just look at the continuing saga coming out right now from the AMCA data breach.  That brings us to the next point in this review.

Business Associates should be vetted and reviewed regularly

This AMCA mess is massive and getting worse every day.  It is going to be bad, really, really bad.  I knew it was a giant breach from the time that Quest first announced their breach of 12 million patients.  When you go to the AMCA website and it says “We are one of the nations top agencies managing over $1BN in annual receivables for a very diverse client-base.”  Bam!  No way Quest with 12 million patients generated over $1BN in annual receivables.  Eight more providers made their breach announcements last week alone.  This is nowhere near done.  AMCA has been in business for over 30 years according to their website.  Now, they are filing bankruptcy over a data breach.  A really bad breach where hackers were in their systems for 8 months before they found them.

The information we get, no matter how small, from the failures that created this data breach, will change the way all BAs are managed and vetted.  All of you folks out there who claim you don’t need to answer these questions when you get our assessments better buckle down.  There is about to be a tsunami of them.  That is why we are working very hard to find ways to help our BAs prepare for them.

What should you worry about with the Business Associate Agreement?

That could be its own episode.  Remember we are not attorneys and we do not offer legal advice here.  But, we do read enough of those things to know what to look for and what to worry about.  Here are a few things we see in them and what we think about them.

  • If the contract is between two BAs then it should freaking say it is between two BAs!
  • You should have different contracts for different cases.
  • If you don’t do your part, they can get out just like you can get out if they don’t do theirs.
  • Indemnification matters if the breach is my fault but the clause needs to say it was the BAs fault not just that if there is a breach the BA will pay for it.
  • Insurance matters but if you don’t ask to be at the front of the line to get the case you will get very little – who will get their expenses covered by AMCA?
  • Pay attention to the breach notification timeframe.
  • Make sure the section that says they have to allow the Secretary to audit their compliance program it also includes letting you audit their program.

Even more importantly, vet the BA to ensure they are doing what the contract says they are doing!

You need to ask them if they really are doing the things that they committed to do in the BAA.  It isn’t way out there to say we have many times dealt with BAs that signed the agreement but then said they didn’t intend to do the work.  In the world we live in today we do not have the luxury of being lax with our protections for privacy and security.  The news is full of cases of data breaches caused by third parties every week.  It is getting worse now that people understand they can’t cover it up anymore.  I do not know if the activity is really worse or that people are really reporting now.  Either way, it isn’t looking good for the next year or so until we get this under control.

Managing third parties is not something that should be taken lightly today.  I never did vet AMCA but I would wager someone would have said they had been in business for 30 years and they worked with large companies so they knew what they were doing.  Maybe not, but the fact that LabCorp has already been in trouble for not paying attention to their privacy and security programs.