Key Elements for Secure Business Associate Agreements, Relationships
Impact Advisors’ Shefali Mookencherry dives into key elements for building secure business associate agreements and relationships that can protect the covered entity in the event of a data breach.
By - The healthcare sector relies on a vast number of third-party vendors, supply chain businesses, and other business associates to ensure relatively seamless care transactions. But with each transaction and added vendor, the threat landscape continues to expand. And the onus for ensuring privacy and security of patient data falls to the covered entity.
Under HIPAA, all covered entities must enter into a business associate agreement with each vendor that handles or interacts with protected health information. That agreement is designed to protect the covered entity for compliance purposes – or in the event of a breach.
Last year saw a number of massive vendor-related breaches. Two of which highlight the importance of ensuring vendors adhere to their BAAs, as well as HIPAA and agreed upon security terms.
To start, the American Medical Collection Agency breach revealed in May 2019 impacted more than 25 million patients from a host of lab companies and other covered entities, such as Quest Diagnostics and LabCorp.
In the breach lawsuit filed by patients after the breach, the largest complaint highlighted was that they were not notified directly by the companies. Patients first learned about the breach through a Securities and Exchange Commission filing, well after the HIPAA-mandated 60-day time limit.
Notifications were also a struggle in the Wolverine Solutions Group security incident, stemming from a September 2018 ransomware attack. The vendor opted to send impacted patients “rolling notifications” over the course of several months, ending in early 2019.
Both shed light on difficulties in ensuring privacy and security of healthcare vendors, along with ensuring business associates are adhering to BAAs.
Unfortunately, these issues will continue to plague the healthcare sector in the coming year, with a rise in BA breaches, according to Shefali Mookencherry, principal advisor of Impact Advisors.
“Convenience is a major factor in allowing various security controls to be overlooked,” Mookencherry explained. “Covered entities may look to vendors to safeguard the covered entity’s protected health information and ePHI. “
“The actions or lack of actions of a BA could operationally impact a covered entity and increase the covered entity’s liability,” she continued. “Developing and signing a BAA is a HIPAA requirement, but does not ‘guarantee’ that a covered entity is protected from BA related breaches.”
Reducing BA Vulnerabilities
Healthcare providers must ensure their business associates and subcontractors are actively protecting all patient data, she explained. It would be impossible to police all of their actions, but risk can be reduced by leaning on an inventory of all subcontractors and business associates.
The process should begin with a BA risk assessment to plan for an attack, Mookencherry said. To start, providers should identify all business associates and vendors; review and track signed BAAs; and perform a technical due diligence by assessing your Business Associates’ HIPAA compliance.
"The actions or lack of actions of a BA could operationally impact a covered entity and increase the covered entity’s liability."
Further, providers need to understand which of its BAs use subcontractors and the services they provide to their business associate. Organizations will also need confidentiality agreements with vendors that do not qualify as business associates.
“The above actions won’t necessarily stop a breach but if the business associate answers ‘no’ to any of the questions during a HIPAA security risk assessment, covered entities should be concerned that there is a higher chance that the business associate might fall victim to a PHI breach,” Mookencherry said.
BA Breach Implications for Providers
When a provider is notified that one of their business associates have been breached, it’s important to take immediate action, as “breach notification compliance is measurable by the development and implementation of a breach notification policy and procedure.”
However, if the covered entity and or business associate does not have such a policy in place, Mookencherry stressed each must develop and implement a plan.
First, establish a breach notification team between the BA and covered entity. It’s on the business associate to identify the appropriate staff and to work with the identified covered entity staff to understand the risks and complete those breach notification requirements.
And if a BA risk assessment wasn’t performed prior to the breach by the provider, than the covered entity should do so after being notified of the breach.
“If a breach of unsecured protected health information occurs at or by a business associate, the BA must notify the covered entity following the discovery of the breach,” Mookencherry said. It must breach reported without reasonable delay, and within 60 days of discovery.
“To the extent possible, the Business Associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals,” she added.
Further, the covered entity is responsible for ensuring the impacted individuals are notified, but the process of individual notifications can be delegated to the business associate. Mookencherry explained that the covered entity and business associate should consider which is in the best position to provide notice to the patient
It can depend on a variety situations, “such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.”
“Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction,” Mookencherry said.
“Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area,” she added. “Follow up between the BA and covered entity is key to ensuring that breach notification requirements are satisfied. The BA and covered entity must keep copies of all documents and retain confirmation of submissions.”
The notice must be provided without reasonable delay and no later than 60 days, which include the same information for the individual notice.
Building Complete Business Associate Agreements
Under HIPAA, any individual or entity performing functions or services on behalf of a covered entity that requires the business associate to access patient health data PHI is considered a business associate and therefore must enter into a business associate contract.
To protect themselves in the event of a breach, Mookencherry explained that organizations need to add specific language to their contracts.
For example, under the “recitals section” cover entities should add:
“Department of Health and Human Services issued and adopted regulations under the HIPAA Act of 1996, the privacy standards adopted by HHS, 45 C.F.R. parts 160 and 164, subparts A and E (the "Privacy Rule"), the security standards adopted by HHS, 45 C.F.R. parts 160, 162, and 164, subpart C (the "Security Rule"), and the Privacy provisions (Subtitle D), and Breach Notification Rule, 45 CFR §§ 164.400-414 of the HITECH Act, Division A, Title XIII of Pub. L. 111-5 (“Breach Notification Rule”), and its implementing regulations (the "HITECH Act"). The HIPAA Privacy, Security, Omnibus, and Breach Notification Rules under the HITECH Act are collectively referred to as "HIPAA" and/or “HIPAA Standards” for the purposes of this Agreement.
Under the “Implement Safeguards” section:
“Business Associate shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the Covered Entity.
Business Associate shall further ensure that any agent, including a subcontractor, to whom Business Associate provides PHI agrees to implement reasonable and appropriate safeguards to protect PHI. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance.
Business Associate agrees to reasonably participate in Covered Entity’s PHI security risk assessment process to safeguard electronic PHI.”
Lastly, under “insurance” section, organizations should ensure the following language is incorporated into the contract:
“Business Associate shall obtain and maintain during the term of any Arrangement(s) between Business Associate and Covered Entity, liability insurance covering claims based on a violation of the federal laws, Privacy Standards, any applicable state law or regulation concerning the privacy and security of patient information and claims based on its obligations as a Business Associate pursuant to this Agreement (‘claims’).”
“The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI,” Mookencherry explained. “For a BA and a covered entity, failure to comply with BA breach notification requirements may result in an Office of Civil Rights investigation, fines and corrective action plans.”
“Also, the covered entity has the ‘ultimate responsibility’ for breaches related to their own PHI/ePHI,” she continued. “Hence, both the covered entity and BA should work together to satisfy breach notification requirements.”
