Are You Doing It …
In this week’s “Know The Rules!” I discuss the importance of Business Associate Agreement Management …
What happens when you don’t do it!!
Unless you’re new to healthcare, you know Covered Entities (CEs) are required to obtain a Business Associate Agreement (BAA) with each Business Associate (BA) before handing off ANY protected health information (PHI) to a third party vendor. (RIGHT????)
At some point, your healthcare organization could receive a complaint letter from the Health and Human Services (HHS), Office for Civil Rights (OCR). This letter will claim your organization is not in compliance with some portion(s) of the HIPAA Privacy, Security and Breach Notification Rule, or some combination.
Aside from a healthcare breach there are a number of events could bring you under the watchful eye of HHS. Here are just a few:
- • A patient complaint
- • Workforce member – past or present
- • Any BA, example: IT companies have filed complaints
- · Vendors workforce member – past or present
- • Social media post(s)
And let’s not overlook the likelihood of an uninvolved individual who is concerned with healthcare privacy!
So you see, the possibilities are ENDLESS!!
When this happens HHS will ask for and look at EVERYTHING!!
The first thing OCR will ask you to provide is ALL your BAAs, followed by your policies and procedures, 6 years of Risk Analysis and Risk Management plans, and the list goes on and on……. This is usually when organizations discover that many things, such as BAAs, are missing, outdated and/or unsigned.
From OCR’s perspective, BAAs are the compliance world’s “low hanging fruit” – if you are unable to manage your BAAs; HOW are you able to manage and secure the PHI in your organization?
Pagosa Springs Medical Center (PSMC), located in Pagosa Springs, Colorado, found this out on June 7, 2013, after OCR notified them of a complaint. The complaint alleged that a former employee still had remote access to the PSMC web-based scheduling calendar after leaving PSMC as an employee.
Pagosa Springs Medical Center (PSMC), is a small, rural hospital and in this event is considered the CE, as defined at 45 C.F.R. § 160.103, and therefore required to comply with HIPAA requirements.
PSMC is a critical access hospital with 11 inpatient beds, 24-hour emergency care, imaging, and other basic outpatient services, including a primary care clinic, radiology department, surgery department, orthopedics, infusion services, women’s health services and sports medicine.
What the OCR Investigation Revealed
OCR investigated and confirmed remote access to the calendar had continued and that the former employee had accessed the calendar on two occasions on July 8 and September 10, 2013, as a direct result of the failure to de-activate the former employee’s username and password. The calendar contained the electronic protected health information of 557 patients.
How Does HHS Discover You Don’t Have A BAA
Something else was discovered as a result of this complaint; PSMC did NOT have signed BAA in place with their web-based scheduling calendar vendor. Although the web-based scheduling calendar is HIPAA compliant, this case emphasizes the importance of obtaining a signed BAA BEFORE any protected health information is exchanged.
As OCR Director Roger Severino stated in the Settlement Announcement Press Release:
“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,”
“This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
Covered Entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. CEs must also evaluate relationships with vendors to ensure that BAAs are in place with all BAs BEFORE disclosing ANY PHI.
HHS Resolution Agreement – BA Relationships
The resolution agreement between HHS and PSMC provides valuable insight into the direction HHS could take regarding how organizations manage their BAs and BAAs.
Per the resolution agreement PSMC shall revise its policies and procedures relating to Business Associates (Business Associate Policies and Procedures) to:
- Designate one or more individual(s) who are responsible for ensuring that PSMC enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to PSMC disclosing protected health information (PHI) to the business associate;
- Create a process for assessing PSMC’s current and future business relationships to determine whether each relationship is with a “business associate,” as that term is defined under the HIPAA Rules;
- Create a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates;
- Create a standard template business associate agreement;
- Create a process for maintaining documentation of each business associate agreement for at least six (6) years beyond the date when the business associate relationship is terminated; and
- Create a process to limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties.
Above is only a very small subset of what PSMC has to adhere to as part of their resolution agreement. In addition to paying the fine of $111,400, PSMC has agreed to implement a 2 year Corrective Action Plan (CAP), update their security management and BAAs, policies and procedures and train its workforce members.
Why You Should Pay Attention …
Simple answer – HHS is paying attention to BA workforce members – past or present and here is WHY you should TOO!!
- • HHS included 41 BAs during their 2016 Phase 2 HIPAA Audit:
- · Only a handful of entities have fully met compliance goals and objectives
- · Zero organizations met all HIPAA security risk analysis and management requirements
- · Access requests and Notice of Privacy Practices seems to be another weak area for the entities
- • In 2018, there were 76 different CEs added healthcare breaches the HHS “Wall of Shame” as a result of incidents involving their BAs
Why is this important and why should you pay attention …
Because, if any of your incidents involve BAs (or Sub-BAs!) – HHS is going to ask for BAAs and they’ll only give you 14 days to collect them all! Do you even know where all of your BAAs are?
One way to do this is to have a Business Associate Agreement Management (BAAM) process.
Business Associate Agreement Management
After you receive a complaint letter from HHS is not the time to start reviewing for your BAAs. This is why it is vital that your organization develops a BAAM process.
To help you, I have included a simple exercise which industry experts suggest you perform:
Instruction: Select a sample of your known BAAs and write down the following information about each one:
Step 1: Who are the two contracting parties?
Step 2: Is my organization the BA or the CE in this agreement?*
Step 4: What is the Breach Notification Time (BNT) and/or Sec Incident Notification Time (SINT)?
Step 5: Can you identify a Point of Contact or a preferred method of contact in case of breach?
Note: Time needed to complete this exercise will depend on the sample number and complexity of the BAAs.
This might seem like an unnecessary activity, however, you will gain valuable insights no matter the size of your organization.
Smaller organizations may be able to manage their BAAs with spreadsheets. However, larger ones may find it necessary to automate as many tasks as possible with the use of software tools.
Covered Entities and Business Associates need to understand that patients are entrusting YOU with their most private and intimate details, and they expect it to remain secure.
After all, it is YOUR practice, YOUR patient’s trust, YOUR reputation and YOUR legacy!
Why are you leaving yourself wide open to these risks?
Developing your BAAM process will help your organization understand the risks and requirements detailed within your BAAs. To learn more about how to automate your BAA review or any other part of what goes into a BAAM process schedule a call with us today!