Description
Business Associates and required BAAs are discussed often but not resolved quickly. Let's talk about some ideas and issues that go with BAAs.
Links
Notes
Who is a BA?
A business partner who provides a service to a CE or BA that requires them to CReMaT PHI.Anyone with persistent access to ePHI whether they do anything with it or not is irrelevant - the fact that they CAN do things is what matters.Complexity is increasingDietitians at hospital needs info on the scripts for the diet but the employer never stores, accesses, or has persistent access to it but the workforce needs to see it. CE should train them on Privacy rules.BA means it is not your data but you have it or have access to it from the owner of CE.Medical director could be a BA or could be workforce member depending on the contract they have with the employer.ACO formed by hospital as a completely separate legal entityBut the ACO is staffed by hospital employeesPlus the hospital provides IT services to the ACO legal entityNow that would make the hospital a BA of the ACO which is really the hospital.So, the hospital is a BA to itselfMaintaining PHI vs. maintaining facilities with PHIData center where you store your servers. Are they a BA?NO. They are just the landlord for your server - so they aren't a BAYES. Physical, Administrative, Technical Safeguards are used to protect it, thoughYou are outsourcing part of your obligations because they are doing a all of the physical safeguards for you so you should make them a BACan be argued both ways but 2 out of 3 lawyers said BA plus a poll of room says they are a BA not just a landlordBCBS of TN left drives at old office and landlord was securing the siteWhy is there was no BAA if that is the case was the OCR responseResolution didn't mention the BA argument but it was an expensive fine that clearly showed the OCR lawyers didn't see they were protected sitting in a closet of the facility you used to lease.If you sell server space and store encrypted PHI you are a BA under current guidance.Many will argue this point though.You have to be prepared to decide for yourselfEven if you don't treat them like a BA, then you should have an agreement of some sort that protects the PHIOCR working on Cloud Computing GuidanceSecurity Rule from early in this century couldn't really consider all the things that are done todayBefore cloud computing when everyone has their own servers in their offices or owned huge data centersYou can't just counter this issue with making everyone sign a BAA, though.Bad for the business that signs them and either fails to comply or does the work they may not need to be doing.Bad for you because you are managing contracts that don't need to be managed and opening up cans of worms we haven't even found yet.Make a decision about your business and be prepared to explain your logicIf you are doing the work of a BA you are still a BA without signing a BAAIncluded in BAA
We are not lawyers but we are talking about the contracts just a little bit hereAsk your attorney for advice on this stuff, don't relay on us or any other consultant for that adviceAlso, get a HIPAA attorney - not a tax attorneyYou should be reading these things, not just sign themIndemnification can be included and you need to know what you are committing toInsurance requirementsYours, mine, ours for cybersecurityWhat does it really cover - not just if you have itNew complexity to negotiations because you don't cover a max level that your big groups needState law requirements60 days - how far down the BA tail could it go with 60 days to notifyShorten the days but not too shortBut give them time to figure stuff out unless you want to know about incidents that turn out to be okBreach notification responsibilitiesCan the BA notify a huge number of people within 60 daysdo they even have the resources to make that happen?De-identification of PHI clause is there to prevent selling of dataThey don't have to take out the doctor's name if they take out all other PHIThat means some of your valuable info could end up in a file that gets sold because it has no PHI in it.IndemnificationWhat liability limits are you going to includeIf I am acting reasonable then I shouldn't have to bear the whole burden but if I am reckless then it is fair to put most of the burden on youThe Security Rule may not go far enough but you can up the ante in your agreementsShould you require encryption be used both at rest and in transitAgreements may start to specify exactly what security standards you must adopt which creates new problemsAssessing BAs
I have a BAA so I don't have to worry - not a good ideaDoes HIPAA even apply if they are off shore?US Law doesn't apply in other countries - do you know where your PHI really lives?CE is not responsible for acts of BA with a signed BAA butIf you are aware of a pattern of non-compliance then you would be liableHow much do you want to be unaware of vs aware of in advance of a problem happeningWhat PHI are you talking about is key in assessing each situationMedical onlyDemographicsSSN and Credit CardsIs it mental health, domestic abuse, STDs, etc with special limitationsJust because you have SAS70, SSAE16, or SOC 1, 2, or 3 assessment doesn't mean it was a good assessment nor does it mean that it covers what you need covered for HIPAADoes provide a benchmark but that isn't necessarily enough for HIPAAA sophisticated BA questionnaire is where most CEs are moving until standards are made more specificProvides more specifics about the compliance programsTrainingWho is really in charge for you to deal with in a crisisDo you audit the BA after the fact?Once you learn problems you have to deal with themWould you rather know or not know, that is the questionEasiest / Quickest way to know is just let the tech geeks talk to each other and form their own opinions of what is happeningLet us handle the questions to askWe have to deal with each other any wayNo one else really understandsIf you are a BA then have something you can show the CE/BA clients proactively before they ask
View all episodes
