As technological innovations drive the healthcare industry to store and share more PHI online, it becomes more vital than ever to mitigate the risks that business associates – who have access to sensitive data – pose. At the National HIPAA Summit in Washington D.C. on March 4-9, 2019, an expert panel discussed the role of HIPAA business associate agreements and how to keep sensitive PHI safe – even after exchanging it with third parties. The panel included:
- Anne Kimbol, JD, LLM, CIPP/US, CHPC
Assistant General Counsel and Chief Privacy Officer, HITRUST; Former General Counsel, Texas Health Services Authority
- Chris Wargo, MBA
Managing Partner, Infolock
- Shane Whitlatch, MBA
General Manager for Healthcare, FairWarning
- Iliana Peters, JD, LLM
Shareholder, Polsinelli; Former Acting Deputy Director, Health Information Privacy, Office for Civil Rights, US Department of Health and Human Services
Here are five questions to ask yourself to ensure your business associate relationships are as risk-free as possible.
1. What constitutes a business associate in healthcare?
HIPAA defines a business associate as “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A ‘business associate’ also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”
In short, to be considered a business associate under the HIPAA definition, the entity – whether a subcontractor, vendor, or other party – must have access to PHI. A vital aspect of risk assessment strategy is determining which of your vendors pose a risk – and it can make it difficult to do that if you’re entering into agreements with vendors that aren’t business associates. If they do not have access to personal health records on behalf of the covered entity, then the vendor is not a business associate.
2. What challenges do business associates present?
In order to maintain the privacy and security of patient information, covered entities must have a current HIPAA Business Associate Agreement (BAA) in place with every partner that has access to PHI. But a BAA is only a starting point – you must foster an open dialogue by performing risk assessments around the services provided. Some business associates, because of what they do, present a higher level of danger than others. It’s essential to identify where to spend your resources by using a risk-based scale.
Because each organization is different, they have varying degrees of risk. And ensuring the safety of business partnerships is paramount – the largest healthcare breach in January 2019 was perpetrated by a business associate, which impacted nearly 112,000 records.
“Security investment has a seat at the table in the budget, just like every other part of our business.” – Shane Whitlatch, General Manager for Healthcare, FairWarning
3. How do we reach a place where covered entities and business associates work together seamlessly?
One of the most prominent challenges privacy and compliance officers must overcome is allocating resources properly – important tasks for both business associates and covered entities. To ensure everyone’s on the right track:
- Create and refer to a formal document that describes the services provided, software, involved parties, and associated agreements.
- Ask questions about how your business associates deliver their service and any associated risk.
- Know how to execute an effective contract.
- Make sure business associates have a baseline privacy and security program in place to protect your PHI.
“If we can get legal and business together and we can get legal and security together – and heck, let’s be optimistic, all three in the same room — I think there’d be a big improvement in how the system runs.” – Anne Kimbol, Assistant General Counsel and Chief Privacy Officer, HITRUST
4. How do you maintain compliance and security when partnering with business associates?
Between HIPAA, state laws, and (in certain instances) GDPR, it can be difficult for healthcare organizations to comply with a quagmire of regulations. Ultimately, compliance depends on which laws apply to business associates based on the size of your organization. HIPAA’s technical safeguards take the an organization’s size into consideration while maintaining the goal of maintaining the safety of PHI.
“The Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.” – HIPAA Security Rule
Larger companies have the resources to fine-tune their HIPAA business associate agreements based on regulations specific to them because they have a larger workforce and more money to allocate to maintaining relationships with them. However, smaller groups tend to have less personnel and budgets dedicated to maintaining business associates – for them to remain compliant, they need to hold everyone to the highest standard.
“Regulations or frameworks are so similar, you can really get lost in the weeds trying to differentiate between one and the other. The most cost-effective strategy is to figure out what’s the highest standard and architect your security program around that.” – Chris Wargo, Managing Partner, Infolock
Remember that compliance is a floor, not a standard. In other words, it’s a base-level minimum of what any organization must do to maintain privacy and security, rather than a goal to attain. It’s necessary to have conversations with business associates about what happens in the event of a breach before one occurs. That way, both parties will understand how relationships with business associates will work in those circumstances. Planning for a breach empowers both covered entities and business associates.
Ask these questions ahead of time – not after a breach:
- “Who’s going to do what?”
- “Who’s going to notify individuals affected or the media?”
- “Who’s going to pay for potential settlements?”
“You have to decide what is reasonable security. And that’s where you come down to doing your internal risk assessment — taking your security seriously as a business rather than trying to figure out what the lowest common denominator is.” – Anne Kimbol, Assistant General Counsel and Chief Privacy Officer, HITRUST
5. What best practices can we learn from other industries?
With healthcare being the most vulnerable industry to insider threats, it’s valuable to learn how other types of businesses handle similar situations. On the whole, PHI isn’t the only type of sensitive data that needs to be protected – Personally Identifiable Information (PII) is also important in healthcare.
One industry that stands out for strong PII security measures is the financial sector. With a strong security focus for vendors, many outside industries have more thorough regulations. GDPR, for example, requires companies to ensure that their contractors and sub-contractors also comply.
The Gramm-Leach-Bliley Act (GLBA), another financial regulation, mandates that companies require that all subcontractors and agents that receive, use, or have access to PII agree to implement reasonable and appropriate security safeguards to protect it and to agree in writing to the confidentiality and security requirements of an Agreement.
“If you’re going to choose an industry to model security best practices, [financial services is] the one. That’s the industry that has invested the most in it. You see a greater level of maturity there… They take this more seriously. Therefore, they invest more time and resources in it.” – Chris Wargo, Managing Partner, Infolock
As the healthcare tech climate continues to grow and evolve, collaboration with business associates has become an essential facet of the industry. Having thorough business associate agreements, a strong privacy and security program, and clear conversations on the consequences of a potential breach will ensure that patients’ PHI remains safe.