Healthcare’s BAA Breach Readiness Quandary
Optimally managing growing volumes of agreements for timely response
By Kathleen Kenney, Privacy and Security Attorney, Polsinelli and Greg Waldstreicher, CEO, PHIflow
Data breaches and security incidents are no longer a matter of “if” but “when” for healthcare organizations today. A 2018 cybersecurity survey by Black Book Market Research found that 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five. And the numbers for 2018 are sobering: 1.13 million records were exposed by 110 breaches in first quarter alone.
When a breach incident is identified, time is of the essence for organizations to respond swiftly and meet strict notification windows dictated by HIPAA and state laws, as well as the contract terms outlined in Business Associate Agreements (BAAs). That is why it is more important than ever that the executive suite deploy strategies to ensure breach response readiness proactively. This requires having a step-by-step action plan that ensures required notification timeframes are met.
Covered Entities (CEs) must enter into a BAA with any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of or in service to a CE. These agreements provide the CE and the Office for Civil Rights (OCR) with satisfactory assurance that the Business Associate (BA) will safeguard the PHI in its possession and will be prepared to take the steps it needs to take to comply with HIPAA and the BAA should a breach occur.
Effective oversight of BAAs plays an important role in response readiness as the terms of these contracts are often more stringent than the regulations themselves and drive many post-breach processes. Yet, strategies for effectively managing BAAs have simply not kept up with their escalating numbers in many organizations. Many health systems have amassed thousands of BAAs, yet healthcare executives often lack a transparent view into the number of agreements that exist, where they are located and the specific terms of each—until an incident occurs. From a HIPAA compliance and reputational standpoint, this is a big problem.
In recent years, the stakes surrounding BAA compliance have become increasingly high amid investigations launched by the OCR, which prioritized review of these agreements and produced sizeable penalties in some cases. Oversight of BAAs is now paramount, and the status quo of BAA management must morph from reactive response to a well-honed strategy that draws on the promise of automation and technology-enabled workflows to ensures readiness.
HIPAA requires that CEs and BAs must enter into a written agreement—the BAA—that ensures PHI will be protected in accordance with HIPAA guidelines. As noted above, an organization qualifies as a BA if it “creates, receives, maintains, or transmits” PHI “on behalf of” either a CE or another BA. BAAs also detail timeframes for breach notification and response, or the amount of time allowed for BAs to notify CEs of a breach incident.
Identifying vendors that qualify as BAs is not always easy. The lines can get blurred as not all outside vendors or service providers working with a healthcare organization qualify as BAs under HIPAA. While rare, some exceptions exist such as a hospital landscaper or janitor, or the company a healthcare organization contracts with solely for paper supplies. Examples of typical BAs include data and analytics software providers, billing companies and medical software providers.
It is also possible for a vendor to transition from an exempt service to a one that would make it a BA. For example, a company that provides teleconference lines today for CEs may also provide screensharing and recording services tomorrow. To ensure compliance, a recent Manatt report found that many healthcare organizations simply enter into BAAs with all vendors regardless of whether they exchange PHI, driving up the numbers of these contracts that exist across an enterprise.
Adding to the complexities, some organizations increasingly find that they are serving as both CEs and BAs. For instance, Amazon Web Services must sign BAAs with all clients that are storing PHI in its cloud. In that case, Amazon is the BA. However, Amazon recently purchased the online pharmacy PillPack, creating a CE within its umbrella. Now Amazon must manage its agreements from two different HIPAA perspectives. Because BAA management is primarily a manual function in today’s healthcare environment, these types of scenario notably increase the complexities of categorizing BAAs and maintaining a state of breach response readiness from both perspectives.
Breach Response Readiness: The BAA Challenge
Consider this typical process flow as it relates to BAAs when a breach occurs:
A large health system contacts its attorney, who requests a copy of all BAAs to begin a sizeable data extraction process. Along with identifying the breach notification terms of each agreement, the attorney must pull out such key elements as indemnifications, points of contact and state law stipulations. Those overseeing the breach response must then create a data locker and manually track down all BAAs in existence—often equating to thousands of documents spread across facilities, departments and owners. Once all BAAs have been identified and uploaded, the project manager shares the database with the organizational attorney. Because the terms of each BAA vary widely, a manual review of each agreement must be conducted to extract the needed information. This typically takes between 1-2 hours per agreement. As such, it is not uncommon for several weeks to pass before completing the initial data mining process, opening the health system up to greater risk of non-compliance and exposure.
Lack of visibility into BAAs is a common issue across the healthcare industry today. At the most basic level, the Manatt report found that large organizations face significant challenges to simply keeping an accurate count of BAAs. Rapidly growing consolidation trends in the healthcare sector exacerbate the situation as many healthcare organizations simply lack a centralized method of managing agreements and the resources needed to keep pace with their growing numbers.
Extracting needed data in the aftermath of a breach incident can be tedious and costly and stressful on a business. The language contained in BAAs has become significantly more complicated due to a fluid and evolving regulatory environment as well as the vital role these patient protection agreements play in an overall security strategy. As a result, the obligations within each agreement are different, and the costs of manually parsing the information needed to ensure contract terms are followed across thousands of BAAs can add up fast—especially since the average attorney fee sits at more than $250 per hour for document review alone. This fee does not include any strategic oversight or advisory from an executive-level attorney. For example, an entry level attorney may be used for initial review and extraction, but attorneys with much higher rates—upwards of $700—may also review the work and provide oversight and direction. With the help of technology, healthcare organizations can rely on counsel to advise on the incident and mitigation steps with a firm understanding from the start of the organization’s obligations under the BAA.
In addition, many agreements are missing critical breach response information such as contact points at various organizations or their preferred method of outreach. To achieve a state of readiness, healthcare organizations must get ahead of this information curve, yet many executives find the process cost prohibitive or are reluctant to expend the hefty resources. Consequently, breach response processes are unnecessarily chaotic at a time when the value proposition of order is of the utmost significance.
A Better BAA Breach Readiness Strategy
To improve the outlook on breach readiness as it pertains to BAAs, healthcare organizations need a cost efficient method of increasing visibility into these agreements across the enterprise. The right infrastructure working in tandem with strategic ownership and oversight can help overcome barriers associated with: 1) fragmented versus centralized management; 2) knowledge gaps regarding what is contained in each BAA; and 3) timely access to insights that can power breach response strategy.
Automated, central management of BAAs is an important consideration that can promote the much needed process improvement. Like many areas of healthcare, the right technological framework can provide the transparency needed to create efficiencies, expedite response and fill critical knowledge gaps—such as an accurate count of existing BAAs and a complete list of respective points of contacts. Once compiled in a central repository, artificial intelligence can be used to extract actionable insights such as the breach notification timeframes. Together, these technology-enabled processes overcome cost barriers and ensure timely access to needed information when a breach occurs.
In addition, technology can power proactive breach readiness processes such as regular audits of BAAs. At a minimum, executives can identify key terms to better understand organizational risk by answering key questions such as:
- Which BAAs are missing points of contact, phone numbers or mailing addresses?
- Which agreements require notifications within 7 days?
Today’s healthcare organizations are up against a formidable enemy when it comes to data breaches and security incidents. Readiness and efficient breach response processes are critical to achieving the best outcome for healthcare customers and patients, and effective management of BAAs is most certainly an important part of this equation. Healthcare executives are wise to prioritize process improvement in this area by leveraging technology to move response from reactive to proactive while time is still on their side.
Katie Kenney is a Privacy and Security Attorney at Polsinelli PC in the firm's Chicago office. She specializes in HIPAA and international privacy issues, including the General Data Protection Regulation (GDPR), and focuses her practice on the health care industry. Prior to joining the firm, Katie worked for HHS/OCR in Washington DC, where, among other duties, she helped draft the breach notification regulations and related commentary, regularly reviewed high impact breach cases, and actively participated on the agency's audit team.
This article was originally published in For the Record Magazine.