Healthcare organizations cite “willingness to sign a Business Associate Agreement (BAA)” as their top consideration when evaluating cloud service providers (CSPs). But what are you really signing up for when you execute your CSP’s BAA? HOSTING General Counsel Steve Yoost provides expert insights on BAAs in our latest webinar, Understanding Your Cloud Service Provider’s BAA. Missed it? You can view the on-demand version anytime. Following are some highlights from his presentation.
Please note – while Steve is a well-respected lawyer, he’s not your lawyer. HOSTING recommends that you review and discuss any legal matters pertaining to Business Associate Agreements with your attorney.
What BAAs mean for cloud service providers
Under the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA), a HIPAA business associate agreement (BAA) is a contract between a HIPAA covered entity (CE) and a HIPAA (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines.
- Covered Entities (CEs) – these include healthcare providers, health plans and healthcare clearinghouses. Examples of CEs include: physicians, hospitals, health insurance companies, healthcare billing services and value-added healthcare networks.
- Business Associates (BAs) – these refer to entities that create, receive, maintain or transmit PHI on behalf of Covered Entities. Examples of BAs include: record storage companies, data analysis companies and hosting providers.
CSPs that claim to be “BAA-friendly” should be aware of the Omnibus Rule of 2013. An addendum to HIPAA, it clearly defines the responsibilities that third party providers have in regards to safeguarding PHI. The Omnibus Rule requires compliance from an entity that “creates, receives, maintains or transmits PHI on behalf of customers that are healthcare providers, health plans or healthcare clearinghouses.”
Unfortunately some CSPs try to skirt around responsibility for safeguarding an organization’s PHI by evoking the following BAA “loopholes”:
- Janitor Clause – HIPAA provides exceptions to organizations whose functions or services don’t involve disclosing PHI at all, but may have incidental access to it. For example, a janitor who works at a hospital would be excluded from any liability around PHI.
- Conduit Clause – HIPAA provides exceptions to specific individuals or entities such as postal workers who may deliver mail that includes PHI.
Consider it a red flag if a potential CSP tells you that they aren’t responsible for safeguarding PHI due to either or both these clauses.
Three actions to take before signing a Business Associate Agreement
Assess your risks
Understand the risks that exist in your organization. Determine what people, processes and technology are in place to address these risks.
- Internal compliance – look at your organization’s compliance obligations.
- HIPAA compliance – inventory of your PHI. For most organizations with a lot of PHI, it’s difficult for them to secure and encrypt it on their own.
- Legal risk – understand your organization’s state, federal and local obligations for PHI. Educate yourself on data privacy laws as they pertain to your company.
- Data breach expense – data breaches are expensive. Decide if you have the financial capital and human resources to remediate one.
- Evaluate whether or not your potential CSP’s strategy for Business Associates (BAs) meets your risk management needs.
Assess your BAA
Is it HIPAA-compliant?
Steve recommends that organizations either draft their own BAA (with the assistance of qualified legal counsel) that is compliant with post-2013 HIPAA regulations. The Department of Health and Human Services (HHS) provides one for organizations to use. Failing that, insist that the CSP’s BAA is compliant with post-2013 HIPAA regulations.
Is it the right kind of BAA?
Steve notes that there are two types of BAA’s; one pertaining to Covered Entities and Business Associates, and one covering Business Associates and their sub-contractors. Make sure you potential CSP knows the difference.
Does it address all of your security and risk issues or are there gaps?
Ensure there is a “flow down” of BAAs from the Covered Entity to the Business Associate and any authorized subcontractors.
Assess your Business Associate (BA)
Conduct due diligence to determine if the BA is a good partner for you.
- Find out if the vendor is sufficiently knowledgeable of HIPAA and can properly address your risk management needs.
- Determine if the BA has a HIPAA compliance certification. Obtain a copy of the report to ascertain if it lists any holes, cautions or issues. If there are any issues, find out how they are being addressed.
- Go through any “what-if” scenarios to determine if your BA offers any guarantees if a site goes down, there is a breach, or if you are subject to an audit. HOSTING is one of the few CSPs that offers 100% Audit Assurance. If our customer fails its compliance audit because of our services, we shall correct the issue to get the customer compliant (at not cost to the customer) or allow the customer to opt out of its contract with us.
- Check to see if your BA is listed on the Health and Human Services (HHS) Office of Civil Rights (OCR) “wall of shame” which lists all recent breaches impacting 500 or more records.
- Ask if your BA has technology errors and omissions (cyberliability) insurance. If so, find out the following:
- What are the limits on their policy (market amounts and related costs)
- Is there a data breach fund?
- Does it contain other relevant elements to risk management?
- Can your organization be named as an additional insured?
Key terms that every BAA should have
Steve recommends that organizations follow the BAA template provided by HHS (“Go with the gold standard.”) Short and concise, it includes the following sections:
- Section 1: Definitions – taken from HIPAA
- Section 2: Business Associate Obligations – What the Business Associate will and will not do
- Section 3: Covered Entity Obligations – What the Covered Entity will and will not do
- Section 4: Term and Termination
- HIPAA obligations extend past contract terms. At the end of a contract relationship with a BA, the BA must return or destroy PHI. If the BA must keep the PHI for any reason, it must maintain appropriate protection for it according to the law, regardless of whether or not they are getting paid.
- Section 5: Miscellaneous
- This is a good place to include information about who is obligated to encrypt PHI in transit and at rest. As Steve notes, “there is no data breach if the data is encrypted.” So make sure to clearly define encryption responsibilities in your BAA.
Terms and loopholes to avoid in a BAA
Additional subcontracting – Don’t let a BA subcontract services without your consent.
BAAs with extraneous provisions – BAAs aren’t compliant if they were drafted prior to the Omnibus Rule of 2013. Stick with the HHS version as well as its defined terms. Avoid strange definitions that don’t match HIPAA i.e. “what is a breach.”
As a trusted CSP to nearly 200 healthcare organizations, HOSTING readily signs BAAs as a standard practice. View Steve’s webinar for more information about crafting the right BAA for your specific needs.