A decade ago, management of Business Associate Agreements (BAAs) was relatively easy. In fact, for most industry stakeholders, it was viewed as a low-priority compliance responsibility that essentially amounted to checking off another HIPAA requirement.
Today, the stakes surrounding BAA compliance have become increasingly high. Compliance professionals need to be equipped with a deep understanding of how these agreements fit into a privacy and security strategy and how to optimally manage them. In this white paper, you will learn:
If you are new to healthcare compliance, we applaud your efforts to protect the industry’s most important asset: patient data. We also recognize the overwhelming nature of navigating healthcare’s complex regulatory web and hope to make your job a bit easier.
So, take a deep breath, exhale and consider how the following information can help you optimize one of healthcare’s growing compliance challenges: management of Business Associate Agreements (BAAs).
Depending on the size of your organization, you may have a team of professionals working with you or you may be the one-stop-shop for all compliance matters. The reality is that compliance staffing models vary widely across hospitals, health systems and other healthcare service providers. Yet, regardless of structure, all healthcare compliance leaders share a common reality: your organization shares data with a growing number of business partners and vendors, and BAAs need to be in place to comply with HIPAA.
HIPAA requires that Covered Entities (CEs) and Business Associates (BAs) enter into a written agreement—the BAA—that ensures protected health information (PHI) is managed in accordance with HIPAA guidelines.
An organization is either a CE, BA or a hybrid of the two.
The lines can get blurred. That is why you must not only understand your organization’s classification, but also how that classification may change with each agreement and relationship.
New compliance leaders often find that they have inherited multiple messes: risk analyses and privacy policies are out of date, compliance audits are behind and of course, BAA management is a disaster. If this is you, rest assured that you are not alone in your struggle. BAA management has become increasingly complex in recent years due to a perfect storm of security and regulatory initiatives.
As the compliance lead, you were likely provided documents that describe the policies and procedures related to all areas of privacy, including HIPAA. You were also likely handed a pile of BAAs in either digital or paper format, although it is probably difficult to determine if the stack you are holding is complete or if others exist.
There are many reasons why BAA management has become fragmented. For example, if your organization is like many in healthcare, it has likely completed a merger, acquisition or a strategic partnership in recent years. Or, it has simply been growing.
The momentum behind healthcare consolidation trends shows no sign of slowing, and while these movements are great for creating economies of scale, they wreak havoc on BAA management. Compliance directors like you must often navigate across multiple facilities and departments to locate agreements within disparate systems and paper files. In addition, your organization may not have a centralized compliance function, which means you must identify and reach out to others who have ownership of BAAs. You are not alone in your compliance headaches!
As a simple exercise, industry experts suggest pulling a sample of existing BAAs and writing down the following information about each one:
The Omnibus Rule went into effect in March 2013, but CEs and BAs had until September 23, 2013 to become compliant. The final changes impacted BAs in three primary ways:
For more information, click here.
The first steps to optimal BAA management require answering key questions about each BAA as defined in the above section. This type of oversight and analysis is tedious and time-consuming—especially since the average health system maintains thousands of BAAs, and successful and growing BAs often house hundreds, if not thousands of these contracts as well.
Yet, completing this exercise for every single BAA is critical to understanding your organization’s exposure and maintaining a state of breach readiness. Data breaches and security incidents are no longer a matter of “if” but “when” for healthcare organizations today. Consider the findings of a 2018 Black Book Market Research study: 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five.
Consequently, preparedness has never been more important as healthcare organizations need quick access to the information in these agreements to comply with BNTs and other terms when a breach occurs.
Breach Notification Times (BNT) are provisions within a BAA that meticulously detail the timeframes for reporting a breach once a breach is discovered or should have been discovered. While HIPAA guidance requires that CEs notify patients impacted by a breach ‘without unreasonable delay and in no case later than 60 days’, the reality is that BNTs vary widely across BAAs in terms of how quickly a BA must report a breach to a CE or another BA.
A simple audit might uncover timeframes of two business days in some contracts and 15 calendar days in another. Or, a contract may simply say “promptly” or “without reasonable delay.” Interpreting these various terms and complying with the legalities of so many different parameters can be overwhelming for most resource-strapped compliance departments.
Conduct a thorough audit of three BAAs, extracting the following information:
Was all the information available? How long did that take? How many BAAs were in that folder? Now imagine conducting this analysis for all BAAs in your organization? If this seems like an impossible task, you probably did the audit correctly.
Based on the time it took to complete the full audit of a small sample, calculate the resources that will be required to complete this process and maintain accurate information on an ongoing basis.
If you are like most resource-strapped compliance departments, you will likely fall short of available time and staff. In turn, you may consider turning to a third party to conduct the audit, although the costs associated with this work are high—typically more than $250 per hour for a HIPAA attorney. Low estimates point to timeframes of roughly one hour to read, identify and extract key elements from a single BAA. Do the math. What will manual BAA review cost you?
Automated management of BAAs in a centralized repository can significantly improve transparency and streamline audit processes. In addition, advances in artificial intelligence have eased the pain of manual document review and equip healthcare executives with actionable BAA insights in ways previously unavailable. The best solutions help you:
BAA management is your job; don’t let it get out of control. While the current state of BAA management in your organization is not your fault, it’s vitally important that you clean it up. And fortunately, there are tools that can help.
If the total number of organizations you share PHI with is greater than the total number of BAAs in your folder, you may have a serious problem.