How to Manage Your Business Associate Risk

Watch to learn what covered entities need to know about business associates.

Having issues accessing the video above? Watch the video here.

How to Manage Your Business Associate Risk

In this webinar, SecurityMetrics HIPAA Fulfillment Manager, Ryan Marshall, HCISPP, covers:

  • What covered entities need to know about business associates
  • Business associate agreement requirements and best practices
  • Tips to mentor business associate compliance

This webinar was hosted on April 27th, 2017.

Transcript of How to Manage Your Business Associate Risk

Okay. We're gonna go go ahead and get started with today's webinar. Thanks everyone for your attendance. We're excited to be talking to you today about HIPAA compliance.

The webinar is how to manage your business associate risk. And today, our presenter will be Ryan Marshall, who is a HCISPP and our HIPAA fulfillment manager here at SecurityMetrics. He's been working at SecurityMetrics for nine years and has a lot of experience helping organizations of all sizes, technical knowledge, and needs in general. So a lot of good knowledge that we'll be able to learn from today.

Before we get started, just a little bit about SecurityMetrics.

We've been helping organizations comply with mandates, avoid security breaches, and recover from data theft since two thousand. So, again, a lot of well rounded experience with many types of organizations.

A few housekeeping items, before we get into the presentation.

The The most common question we get is, will we be sending out a recording of the webinar? So the answer is yes. We will send you a recording of the presentation along with the slide deck so that you can review and share with other colleagues that maybe couldn't make the webinar.

So we'll be sending that out in the next few days to the email that you used to register for the webinar. So monitor your inbox over the next couple days, and you'll see that recording as well as the slide deck.

Throughout the webinar, if you have any questions, please chat them in. We will have a live q and a session at the end of the webinar. So as questions come up, feel free to chat them in. We'll address as many as we can.

If we aren't able to get to your question, we'll reach out to you on an individual basis. Or a lot of the times, we get questions that are very specific to your organization that may need, you know, more detail. So if that's the case, we'll also reach out on an individual basis to make sure that we can get you taken care of. Throughout today's presentation, we're gonna do a few polls, so some little surveys, and it'll just be a little pop up that will come using your GoToWebinar control panel.

So when we initiate those, it'll be very clear. It'll pop up on your screen. If you can participate in those, it'll be really helpful to make sure this presentation can be as tailored to our audience as possible, as well as help us get get better at helping organizations with HIPAA and helping your organization specifically.

So with that said, we're gonna go ahead and get into the presentation. I'm gonna turn the time over to Ryan Marshall. Go ahead, Ryan.

Thank you, Colin. Good late morning to everyone depending on what part of the country you're in.

Today, we're gonna break it, managing your business associate risk into three basic categories, that I like to talk about this topic in. And the first is, knowing what business associates are, identifying them, the business associate agreement requirements, and then how to appropriately monitor your your business associates and their compliance with their agreements.

That's the crux of the presentation.

But before we get into that, we have our our first poll that Colin mentioned. It's just how many, asking how many business associates that you use or if you are a business associate.

Generally, I deal with companies that usually have less than ten. So if you, do have a lot of business associates, maybe, there's gonna be some different, piece of advice that I would give, for the large organizations.

And we'll go ahead and close the poll now. And I thank you for your participation.

Looks like we do have some some large organizations, but most of it falls in the in the category of the small to medium, and we have a couple business associates with us. So, for the people that responded in with fifty plus, I'll I'll give you a little bit different recommendations when I get to the appropriate spots, and I'll I'll reference that.

Before before we dive into the the presentation, I as a security professional, I go to conferences, I listen to webinars, and I read, health care security related articles pretty frequently.

And there's two trends that I that I hear happen pretty frequently, and I just wanted to address both of those because they're both a little troubling to me.

The first is that anytime health care, health care data security or or HIPAA compliance or HIPAA in general is discussed. It's usually discussed in an Armageddon doom and gloom. You're gonna be breached. When you are, you're gonna be fined out of existence, type of way, and there's a lot of hyperbole surrounding that. And while I'm not minimizing the impact that a breach can have on an organization, for a lot of organizations, their actual concern, their actual concern over over being audited is low, and I think that that's justified.

And I just don't think that the, the the fear tactics are a production or a productive way to have the conversation. So I wanna make clear that this presentation is educational only. The only thing that I would hope that to come out of this webinar is that maybe you learned one thing that you didn't know before or came out about with one thing that you can do to help, your organization manager or manage or monitor your your business associates. It's it's not a scare tactic.

The other thing that I always hear, and this is just in in data security in general, is people in my profession generally beat the the best security practice drum to the point where I think a lot of people tune them out.

And it everybody loses in that situation because while I I think I agree the best security practice is the starting point of a conversation, starting point for this entire webinar, because when I'm when I'm talking about it in a general way, it's the only way that I can talk about it. But I also wanna emphasize that sometimes best security practice can seem overwhelming or maybe you feel that it's a little too much, and you're not going to do that, don't think that or adopt the mindset that if you're not, complying with best security practice that you might as well do nothing. Doing something is always better than doing nothing, especially the I would say the worst part about HIPAA is that it's general, vague, and ambiguous.

And the best part about HIPAA is that it's general, vague, and ambiguous, which means that there's a large flexibility of approach, and the ultimate goal is creating a defensible stance. And every action that you take furthers that defensible stance. So, if if what I say seems a little bit overwhelming, don't just disregard everything. Try and try and think of what you could implement out of that or what portion even if it's only one percent that you're still better off.

So that's the, that's my five minute disclaimer of the presentation.

Now to start off with, I just wanna go over some definitions and some regulatory background.

If if anybody doesn't know, a business associate is or a business a disclosure to a business associate is a permissible disclosure under HIPAA. It's a disclosure that doesn't require authorization or notification or an opportunity to consent.

You can just give information to outside organizations to provide a service for you, and that is is a absolute permissible disclosure.

An important note is that if you are a covered entity, and this won't apply to our couple business associates that are here, you you create PHI. And when you create PHI, it makes you the data owner, which means that you are responsible for it in one way or another wherever it goes in the world for its entire life cycle.

So even when you you give the the information to your business associates, you still hold the responsibility for it.

That can seem fairly large, especially if you have a lot of business associates, and a couple of people said they had fifty plus.

If you have that many BAs, and they may be using one to ten downstream entities themselves, that picture can get very complex and large, pretty quickly. It's important to note that the the responsibility chain in HIPAA only flows one link down below where you're at. So as a covered entity, you're only responsible for managing the business associates that you directly give information to. Those business associates are then responsible for managing their downstream entities and so on and so forth. So that does limit the scope of your responsibility a little bit.

And then the the good news also is that prior to twenty thirteen, all of the responsibility for business associates actions, and and breaches were on the covered entity. And the government employed a tactic of enforcement through by proxy, whereas if their business associate breached the data, they would find the covered entity who would then in turn, go after the business associate in civil litigation. But in twenty thirteen, that changed, and business associates are now covered under HIPAA after the omnibus ruling. So that did ease, or share some more of the responsibility with your BAs.

I I like to touch on on who is a covered entity. I think most people know generally, what a covered entity is, but it is important to, to make sure we're clear on the definitions in identifying business associates.

A health plan is a health insurance company. Basically, health care clearing house is data aggregation companies that take PHI from a nonstandard format and convert it into a standard format, and then health care providers. All three types of these are, by definition, covered entity under HIPAA. I think most people are pretty good with the health plan and health care clearinghouse, and the most seemingly obvious one would be health care provider.

But there are some types of of organizations that would be classified as a health care provider that may not seem so obvious.

Examples are pharmacies, our health care providers, homeopathic providers, our health care providers also. And then you have some some oddities that would be like prosthetics, manufacturers and orthotics, custom orthotics suppliers. They're also classified as a health care provider too.

And I'll go over why that's important to know and make sure that you have definitions of what a health care provider is in determining business associates.

Sometimes you have weird examples like labs that can be health care providers, but, also can be a business associate depending on their organizational structure.

The the first step in managing your business associate is identifying who they are.

You can't properly have agreements in place or do any monitoring if you don't know who they are, and it can be a very deep rabbit hole to dive into.

I always I always say that, HIPAA is like the English language and that for every rule, there's three exceptions, and those three exceptions also have at least one exception to them. So in defining what is a business associate, I almost think that it's easier to define what is not, a business associate. So it's kind of a three questions that I ask myself when I'm when I'm determining if a company or an organization is a BA.

The the crux of it all is that there's a data transfer. So if you're sharing as a covered entity, if you are sharing, giving, PHI to another organization or even giving them more than incidental access to PHI, that's the base of it. Once that's been established, so that's in place, then you I would ask myself, are they another covered entity who is functioning in their primary role as a covered entity in this transaction?

An example of that is if I'm a health care provider and I'm referring a patient to another health care provider, the primary role of health care provider is to provide direct treatment and to collect payment for that treatment. So if I'm transferring information to another health care provider in order to provide direct treatment, that is not a business associate relationship.

Another example is health insurance company's primary role is to process claims and render payment to the providers. So if you're a health care provider and you are, transmitting information to a health plan in order to process a claim, that is two covered entities both acting in their primary roles as covered entities.

So that that would not constitute a business associate relationship.

That doesn't mean that every transaction between CEs, cannot constitute a business associate relationship. If there's a small, health care provider and they're using a larger health care providers billing for them, that's not acting in in a in the primary role. So that would be a business associate. But, that's that's the crux of it. They they didn't wanna impede on the common transactions of information, in health care between providers and and insurance companies. So those generally are not business associate relationships.

The the second question is, is it a government agency or is it a law enforcement entity? Generally speaking, you have to comply with requests from the government or law enforcement for, for PHI. So those would not be VA relationships as well. And almost then if it's if it's outside of those, then it is a BA, generally.

I wanna make it very clear that that that three step process is a very generalized way to identify business associates.

It's kind of the start of it. But there are many, business associate decision trees that have been created by a lot of law firms and and associations have have created VA decision trees, and they're really excellent to use. You can Google them and download them, for free. And I would recommend using something like that as your ultimate determiner of of who is and who is not a business associate.

The covered entities are responsible for their VAs in one identifying them and then having proper agreements in place with them that outline all the proper terms of the way that the, the business associate is to handle the data. And then you need to do something, some measure of of monitoring or checking to make sure that the business associate agreement is being upheld.

And that's the three main responsibilities, of a covered entity in in managing business associates.

It can be challenging for them because knowing who, a HIPAA compliant BA is or or if BAs are are are handling data securely, it can be a challenging thing.

There's not any official certification out there from the government or anything on who is HIPAA compliant. So it it kinda comes down to some individual effort, and that can be challenging. The entire process of of managing or monitoring somebody who is a business partner and who you technically are a customer of and demanding things of them, can be straining on a relationship. And there's a level of control that needs to be exerted that sometimes is is difficult to to do. And then, ultimately, in one form or another, there is an element of risk that covered in these own that if a VA loses data, breaches someone's privacy, or gets data stolen from them in any way, that that the covered entities are responsible.

So it's not the easiest thing in the world to do, but, I don't think it's as daunting as as it appears at face value.

And this is the part where I I'm gonna give some breach studies, and I wanna reiterate my previous point that these are not, these are not nightmare scenarios that I'm presenting as that this is going to happen to you or or probably already has happened to you and you're going to be fined. I just find it beneficial to talk about an abstract concept. And when talking about an abstract concept to use real world examples, to put a face on it and show how organizations have had incidents with their business associates, how they've handled it, how they protected themselves or not protected themselves so that you can kinda see, what the efforts can yield in action.

So with that, I'll just go over a couple case studies here.

South Shore Hospital is a a hospital in Boston. They they shipped four boxes of backup tapes to, a business associate called Archive Data Solutions.

And as far as what Archive Data Solutions reported, they only received one of those boxes. Nobody knows what happened to the other three, and about eight hundred thousand records were lost in total. During the investigation, it was found that, South Shore did not have a business associate agreement in place with archive data solutions, and that's pretty much the end of the investigation. They were fined as a result of that.

It was about a half million dollars after all was said and done. And the important part that I hope you take away from this is not that they were fined five hundred thousand dollars, but that they didn't have a BA in place or or an agreement in place with archive data solutions, which that's the end of the conversation, of your protection against the risk of a business associate if you don't have an agreement with them. And I believe they didn't have an agreement in place because they didn't know that they were a business associate or they weren't properly managing who they had currently providing services for them and and making sure they had up to date agreements in place with them.

This is my this is my favorite, I think, breach in in any context, that I've ever read about. A hospital in Texas was using a a mobile, shredding company called Shred It to to come out and and shred their physical their physical sensitive information.

They had some information from the eighties that was on microfacial or microfilm, which is still shocking to me that that was ever used in outside of nineteen sixty three CIA operations.

But people used to put, PHI on on microfilm, and this hospital had some data from the eighties that they wanted to destroy. When they gave it to shred it when they came out to the business, the the people on the truck said that the truck did not have the equipment to destroy to properly destroy the microfilm and that they were going to transport it to, another facility that did have that type of equipment. And then for for one reason or another, probably because the truck driver was tired and didn't wanna make an extra stop or extend his shift, they just threw it in a dumpster. And then it somehow ended up in a public park in Texas and was found by some old lady who no doubt thought that she just uncovered the secrets to the Kennedy assassination and reported it to police.

During the investigation for this, Texas Health was not found accountable and was not fined because, one, they had a business associate agreement in place with Shredded, and, two, they followed up after that after the the the driver said that they were gonna transport the the microfilm to another facility.

Some people at, the hospital followed up with with the document shredding company to ensure that it had actually been just transported to the other facility and destroyed, and Shredded lied to them and said that that they had. Most likely because the drivers of the truck had lied to their superiors and so on and so forth.

But because they had an agreement and had taken some proactive measures, they weren't fine. They weren't found accountable, for that breach.

And then we have the, the case of Newark Beth Israel Medical Center, which if anybody has has followed any kind of health care breach news, they're in the news pretty often. I think they've been breached about nine times in the last four or five years. So they're they're generally considered an example of of what not to do.

But this isn't one of those cases. They they used a, a transcription company called professional transcription company that accidentally I think it was during a a development improvement process, but the the BA accidentally posted PHI of about eighteen hundred individuals on their public web portal.

They realized that they had done this very quickly and took it down and then notified the hospital, who then reported it. And Newark Beth was not fined, in any way for this because they had an appropriate BA in place and could not have reasonably known that this type of thing or incident would have happened. And if you actually search for this breach on the the HHS wall of shame, it's not even reported under Newark Beth Israel. It's it's actually listed under a business associate breach for professional transcription company, and Newark Beth is only mentioned in the description of the breach, but not as the as the culpable party. And this was the second time in three months that that Newark Beth had had a BA breach information that they were not held accountable for because they they took some appropriate measures.

So, we're gonna go into the second part, which is is some business associate agreement requirements and some proper ways to to manage your BAAs.

Like I said, the the first step is still that you need to identify what who your BAAs are so that you can then start to complete these steps.

Business associate agreements, I couldn't really stress the importance of them enough. They they are the crux of the entire conversation. They are the foundation of all management steps, in in dealing with with your business associates or or managing their risk.

They they establish all of the, all the required elements of of what they're supposed to be doing, what your expectations are. They include all of the the regulatory requirements.

For example, you know, what your business associates are supposed to be HIPAA compliant. But in essence, the HIPAA compliant requirements are included in your agreement. So at the end of the day, all that you're really required to do is to to is to make sure that they're complying with your business associate agreement. Because if they're doing that, then they are complying with the applicable his HIPAA statues that they're required to. So, it's extremely important to have up to date business associate agreements in place with everybody that, you're giving PHI to.

It's also equally important to note that however important a business associate agreement is to the entire, conversation, it is not a one hundred percent bulletproof shield against protecting you from all risk, with from a business associate, and there's two parts to it.

The first is I always like to give an explanation that there's four ways to treat risk.

Risk avoidance, risk acceptance, risk mitigation, and risk transference. And only one of those treatments actually eliminates all risk, and that's risk avoidance, which means that you don't ever engage in the activity that creates the risk in the first place. So the only way to eliminate all risk associated with dealing with BAs is to not use them. And I'm not telling people to not use BAs. I'm just saying that that's that's the only realistic way to eliminate all risk.

Using a business associate is actually an example of risk transference.

With risk transference, you can, like I mentioned in the previous case studies, you can eliminate all of the financial risk where there was all those organization the the the Texas hospital in Newark Beth were not fined by the government. They didn't receive any financial penalties. However, they still had the reporting obligation, so they had to report the breach to all the infected individuals. So there is some reputational damage that can be suffered, as a result of of dealing with BAs regardless.

There's a small element of risk there. The other part of that a BA isn't the only thing is that if you you can have the best BAA in the world, you can, be keeping it up to date. You can make sure that you have them signed with every single one of your business associates. If you aren't doing anything to monitor, their compliance with that agreement, it also doesn't offer you, the same level of protection as well.

So I I deal with a lot of I bring this up because I deal with a lot of organizations that get their BA signed and then think that they're a hundred percent off the hook with the entire thing. So it is important to note that there's still some residual risk there.

As far as what is in your business associate agreement, I'm sure that maybe maybe some of you created your own agreement, maybe not. Most of the people I deal with do not create their own business associate agreements. They use a template that was provided to them by their insurance company, their their malpractice attorney, an association that they're a part of, or maybe if they're a part of a organized health care arrangement, they they have a common one that's distributed. But most of the people don't generally create their own business associate agreement, and there's nothing wrong with that.

As a matter of fact, I I recommend it for most people because there's a lot of resources that are required to create a good business associate agreement that just a lot of organizations don't have on staff. So it's good to outsource that. However, it's also imperative that you know what's in the business associate agreement regardless of whether you created or somebody else did. You need there are required elements that need to be in there.

And just knowing what those required elements are and that they are in there is important.

And some of those are you you need an example is you need to have, permissible disclosures, defined in in your business associate agreement. There's three subcategories to that, but, generally, it's just what they can and what the VA can and cannot do with the data. You need to have their responsibility or duty to safeguard the data and what their what level they're supposed to apply to or or safeguard it to, which is generally where you reference the the security rule.

You need to have the reporting obligations, listed in there. You need to have their responsibility to help you comply with your privacy obligations as far as patient requests go. You need to have a termination clause in there, and that termination clause needs to say that they must if if the, the contract is terminated for any reason, then they must return or destroy all the data if it's feasibly possible to do so.

So those are some of the elements. And then on top of the required elements, there are some things that aren't necessarily legally required to be in there, but are extremely good ideas to have.

And those would be, like, a right to audit clause. I always tell everybody to to make sure you have a right to audit clause in your business associate agreement because that's your legal authority to monitor your business associates. You can't ask them for I mean, you can ask them for to provide proof or documentation that they are complying with the terms of your agreement. But if you don't have it in the contract, do they have to do that? They can just tell you no.

Determination clause being solid is good. And then, an an indemnification clause is also a good thing to include just so that you're both saying, I'll take responsibility for the financial harm I caused. You take responsibility for the financial harm that you caused.

Another thing that's important to know what's in your business associate agreement is whatever's in it, it it has to be upheld. You you're responsible for making sure that it that it is being upheld.

Some BAAs have expiration dates in them, and this is a very important note. If you don't review your BAAs and know exactly what's in them, they may have an expiration date that you're unaware of. And if you don't get that contract renewed, then it's invalid.

And and I get asked a question when I bring that up that do they need to have an expiration date? And the answer is no. You do not need to have an expiration date in your in your BAA. It can be indefinite.

However, it's it's important to review your BAAs periodically whether you do that twice a year, once a year, or whatever you determine just to make sure that, it's still going to satisfy your needs. And I think that's why people put expiration dates into it to force that action of reviewing and updating them. So if you don't have if you do have an expiration date, make sure you're getting them updated. If you don't have an expiration date, make sure you're reviewing them, to to ensure that they're still adequate.

I break minimum necessary out. This is one of the part of, permissible uses and disclosures.

And And if for anybody that's not familiar with minimum necessary, it's a requirement in the privacy rule that's kind of a foundational principle, of HIPAA that you shouldn't create, disclose, or use more information than is necessary to perform the task.

I break this out in a as as making sure that this is spelled out in the business associate agreement because most BAs that I talk to, if they are aware of minimum necessary, think that the covered entity is taking care of the minimum necessary requirement because they're required to only disclose the minimum amount of of information that the VA needs to to perform a task.

The important part is that it's there are different responsibilities, and they may seem like the same, but I'll explain.

Covered entity is required to only disclose the minimum amount of information to a BA that they need to perform the task, but then a business associate also has the responsibility to only use the minimum amount of information necessary to perform the task. And that may sound like the same thing, but it it can be vastly different depending on the the BA and what tasks they're performing. If if a business associate is performing multiple types of tasks, maybe all of the the sum of all those tasks requires a large dataset, whereas each individual task would only require a piece of that dataset.

If that is the especially in organizations where maybe those tasks would be broken up into different personnel or different systems, it's very important for the business associate at that point to limit the access of the systems and personnel performing the individual tasks to only the personnel performing the individual tasks to only the pieces of the large data set, that they need to actually do that. So I I always tell people to make sure that you you break that out, or spell that out in your your permissible disclosure requirements in your business associate agreement. Business associate agreement.

So here's another point where we're gonna do another another poll as talking about, reviewing your business associate agreements. I just want we just we're trying to get a gauge on how often people actually do review the content of their business associate agreements.

And once again, thanks for for participating, to it looks like about a third of you said that you do this semiannually to you. I I applaud you.

Most people don't do that.

Most people do it annually, which is about what I expected.

One of the one of the the trickier parts about dealing with with BAAs is you can have your own BAA written up that is very, very adequate. It covers all the topics that you need. It has all your optional elements, all the required elements. You feel very, very confident and comfortable with that.

Sometimes you you'll have a negotiation process where the business associate that you're working with either doesn't like certain parts or clauses that you have in the contract or there a lot of larger organizations have their own standard contracts that they use, and they won't sign anybody else's business associate agreement. They'll just distribute their own and only sign their own. And that can put you in a in a sticky point of where do you dig your heels in and where do you allow a little bit of leeway and some compromise.

And this kinda goes back to the importance of knowing what's in your business associate agreement and what the required and optional elements are and what are the most important optional elements to you. And that can help you identify the areas that you do wanna dig your heels in. And it's also helpful to know that if somebody is missing one of the legally required elements and and refuses to sign something that states that, it it's pretty defensible to say, look. This isn't this isn't our requirement.

This is a a HIPAA requirement. Everybody has to put that in there. So it's not just gonna be us that has that clause in there. It also kinda shifts the the the bad guy role onto the government who plays that role well enough, by themselves.

So it can help maybe maybe soften the the idea of signing, or agreeing to to a certain clause to something that's not palatable to them. And it also lets you know that if they're not going to comply with certain types of things that maybe you need to, maybe you need to not do business with them, which brings me to to my next point is their regulations state that if you know or reasonably should have known that your business associate is not complying with a part of your agreement and you do nothing, then it invalidates the protections of that part of the agreement.

So this would also extend to a business associate refusing to sign an agreement that that is or or refusing to to agree to some of the required elements of a business associate agreement. If they refuse to sign that, you know it's required or should have known that it's required, and something happens that that that that greatly reduces the amount of protection that your agreement, can offer you. So I always tell covered entities, and and business associates maybe don't want people to know this, but maybe they do. But you have purchasing power as a covered entity. You are a customer.

There are plenty of BAs out there that are eager to get your business. So if if you get if you encounter one that is difficult to work with on HIPAA compliance or with your agreement, there are plenty of other people who take great effort to be HIPAA compliant and advertise that they are and will sign your agreement or will have their own agreement that you would find adequate, that they will sign. So don't be stingy with your business if somebody's not willing to work with you.

And this is the point we're gonna take. I know this is this is gonna be the last poll that we have. We're gonna take one more poll.

And if you're reading the question, I know that I just said to not, not do business with the business associate that's unwilling to sign an agreement.

But answer please answer this based off of what you would normally do. Once again, these are anonymous. They're not gonna be used to to judge you.

Thanks again for your participation, those who who voted.

Interesting result that everybody, a hundred percent, said that they would not. So so kudos to you. I would just also advise you to extend that line of thinking to people who are unwilling to sign certain parts of an agreement, or or want you to want to use an inadequate agreement.

I will now discuss the, the least fun part, I think, of of managing business associate risk, and that is auditing or a softer term that I like to use is just monitoring, your business associates.

There's certain things that you need to do, and and it depends on on who the business associate is and what type of risk they they are presenting to you. And we'll talk about that a little bit more in a second.

But, yeah, there needs to be some type of effort, to to ensure that they are doing what they said they've done and meeting your expectations laid out in your in your business associate agreement with handling the data and and complying with the applicable law. Some of the the pieces of evidence that are good to ask a business associate to provide you with, at least on an annual basis, are risk analysis, risk management plan, and incident management programs.

The the first two, the risk analysis and risk management plan, like I mentioned before, HIPAA is very vague in general on a lot of things, but not on these two things. In in the security rule, it's very specific that every organization must conduct risk analysis and risk management process every year. So asking that asking of your business associates to provide you with the completed copy of their risk analysis and risk management process is, a, it's a good start to know that they're they're doing their part in trying to comply with the security rule, and it gives you a good insight on on what risks they have with their organization and what they're doing, to manage them.

The third one, instant management programs. It's also a direct HIPAA requirement, but it's also a very crucial, just security process to have an incident response plan, to know, how to track, detect, and respond to security incidents is a a very critical critical procedure they need to have in place. So these are some three things that, simple things that can give you a good insight to how they're handling the data and if they have their house in order, so to speak.

Some additional things that you can ask for is their policies and procedures, both security and privacy, on on how they're handling data. And then I I tell people if you get policies from somebody, review them with your contract because a lot of times, a company's own internal policies were maybe written, in a disparate way and in a separate time than than the business associate agreement, especially if you presented them with the business associate agreement. So they may sign off on your BAA and say, yeah, we're fine with that, but their own internal policies may contradict certain parts of the business associate agreement. So it's it's good to to do a checking process on that if you do ask them for policies.

I wanna throw out a disclaimer that I'm not a salesman, and this is not to encourage anybody to enroll in SecurityMetrics' compliance program.

I'm a security professional, so I'm probably the worst salesman in the world. And if you're using a competitor, use a competitor. The the reason I bring this up is, like I mentioned, especially for smaller organizations that don't have, trained security professionals on staff, looking at a risk analysis is a different language. They don't know what it means. They don't know if the the risk management or the risk treatment items are are adequate.

If the documentation is adequate, they don't know what they're looking at. So looking at a risk analysis or risk management plan doesn't really do them a lot of good other than they can show due diligence in asking for it.

If you if you are in a situation where you you don't want to do this or you don't have the capability of of properly monitoring your BAs yourself. There are plenty of organizations like ours out there that offer compliance programs that BAs can participate in. If a security professional writes a HIPAA compliance program based on the law and based on best security practice, It gives you a very defensible stance to say, yeah. My BAs are following are are are compliant and doing what they're supposed to with the information because I I had them enroll in a program, and here's the program. Here's what they do.

And most organizations will offer you, console tools where you can check on your BA's compliance status. So it's really easy that a couple times a year, you just log in to the console and check that they're compliant, and that takes care of your of your monitoring requirements very easily. So, for for especially for small organizations, that that may be something that is good to to look into. And then another important note is is that depending on how high risk your your business associates are, maybe you wouldn't wanna have your lower risk BAs, participate in a compliance program, but maybe it would be a good idea to have the higher risk ones participate in it. If if you are gonna If if you are gonna just try and monitor or manage your your business associates yourself, and not have them go through a compliance program, the first step of it is determining risk and and putting people into risk buckets, so to speak.

There's there's several ways that you can do this. You can do it just based off of your already existing knowledge of what type of business or organization they are, what service they're providing. Some things are are fairly common sense.

A data backup company is obviously gonna be a higher risk company than than an IT service who only has, you know, incidental access to to PHI through the systems.

So some some organizations and services by definition are are going to be higher risk. But, in in in the past, when I've helped people try and do this, helped some larger organizations try and and risk profile their their BAs.

Well, we created a survey, of some simple questions, ten questions, and weighted each question with a value of one to three. One being a low risk, two being, medium risk, and three being a high risk, and then sent it out to all of the business associates. And as they complete it and anybody that had a score from one to ten was low risk, eleven to twenty medium, and twenty one to thirty was was a high risk organization. And they they had their own process for how they dealt with each one of those classifications.

So that's a simple way that you can do it if, if you wanna be really, that's the word I'm looking for.

If you really wanna exercise due diligence in managing your business associates, some of the questions you can ask them is is the the type and quantity of data that they're receiving, and you can do that by year, historically throughout your relationship by month, how they're handling the data, what technologies they're using, how is it stored, is it encrypted when it's stored, those are good questions to ask.

Are they using remote access or outside web applications to to handle and transmit the data? Who are they disclosing it to? How many people are they disclosing it to?

Do they handle it on mobile devices? What's the the proliferation of that? Do they have internal IT or or security staff?

Those are all some types of questions that you can ask and decide what is gonna be higher and lower priority for you.

The the end the end all of this is that I hope you can see that the importance of of identifying your business associates, making sure that you have, proper agreements in place with them, and then just taking some type of measurable action that you can document and show that you are are making sure that the agreements are in place.

BAs can be well intentioned, but some they're they're fairly new to the HIPAA space, and I apologize if I'm offending our business associates that are listening.

A lot I I talk to to BAs a lot, and they don't. A lot of the time, they don't know that they're actually, required to be HIPAA compliant now.

It's it's been four years, but that information can be slow. And so they're they're kinda newer to the space.

But the the one thing that's important about them is that, business associates tend to once they realize their obligations or are notified by a covered entity, they tend to be some of the more motivated people to become HIPAA compliant and to comply because it's it's it's a financial incentive for them, and it's financially reasonable for them to do so. So monitoring your BAs is not as hard as you think, and you don't need to be in their business and and cause strain on the relationship. You just need to take a couple reasonable actions that you can document to show that you're doing something.

Another thing is to make sure that when when you have somebody that's being uncooperative, don't work with them.

And whatever you do, document it. Because if you don't, it didn't happen. If if you get a piece of evidence from them, if you check on something, if you update an agreement, all of it needs to be documented to show that you are exercising good faith compliance, all along the way.

And now is the part where we will, open it up, and Colin will take some of your questions. Hopefully, we can answer them for you.

Alright. As we wait for some questions to pour in, just a reminder, we will be sending out the recording of the webinar and the slide deck in the next few days. So keep on the watch for that. We'll give it just a couple minutes so that some more questions can come in. We appreciate everyone's participation. We've already received some really good questions, and we appreciate everyone's participation in the polls that definitely helps us to better help your organizations moving forward and have a better finger on the pulse of the industry and kind of benchmark some things.

Our first two questions are somewhat related talking about labs as they as they relate to business associates. So, Ryan, can you just clarify again labs as possible business associates depending on kinda how they're set up or what their primary function is?

Yeah. It's so that that can be a very complicated question. There's a lot of dynamics to it, but the basis is is, what types of service services are they performing, and is the lab a part of an organization that is not a covered entity? So if a lab is a part of a hospital, then and and just to clarify, most of the time I mean, I mean, the vast majority of the time, labs are, covered entities.

But if they are a part of and and once again, it depends on the type of service they're providing. But if they're if they're a part of, another organization that is dealing with, you know, imaging and and and is not themselves classified as a covered entity, isn't part of a large organization, then they can be a business associate. So I can't think of any specific examples off the top of my head. It's always just a case by case. But the the crux of it is if if they're part of a large organization that is a health care entity, then they are a covered or they are a covered entity. They cannot be a covered entity depending on if they're a part of an organization that is not a a covered entity.

Great. So kind of going off of that question, we had someone chat in, mention that, you know, certain providers such as lab services, but that reside inside of a covered entity. They're consistently asking for business associate agreements to be signed even though they're technically not business associates.

And so this, you know, this individual or this organization has pushed back on these requests and tried to clarify that it's a covered entity to covered entity relationship.

What would you advise? Should they sign those business associate agreements even if they maybe aren't required? Should they push back? Or what would you recommend?

So I I couldn't give a definitive answer without knowing a little bit more information about, the lab and their organizational structure, that you're using. But it's it's a fairly common thing, whether it be labs or or or different types of of companies that don't understand, the BA relationship question fully, and so they will ask for BAs when they don't need it. It's kind of an organizational choice for you. The first thing I would do is determine if that lab is a part of your own, health care organized health care arrangement.

You'd absolutely do not need a business associate agreement in place with them if they're if they're a part of a an organized health care arrangement. As a matter of fact, an organized health care arrangement can actually do their HIPAA compliance as one single legal entity if they choose to. So, beyond not being a business associate relationship, you could be legally viewed as as the same entity.

So that would be the first step is identifying if they're part of an organization that does not, need to comply with HIPAA, independently other than their relationship with you. But if you wanna sign a business associate agreement with them, as long as there's nothing outlandish in it and it's all things that you would just be doing as a normal course of business anyways, I don't see the harm in it, but at the end of the day, that's an organizational decision because you're gonna be contractually obligated to uphold whatever you sign. So you may not want to overextend yourself as far as that goes.

Awesome.

So here's a question. If a covered entity contracts a company such as SecurityMetrics or some kind of security provider to assist with business associate agreements, does that in turn make that company a business associate and then require business associate agreement between them?

No.

Well, it it could depending on it it doesn't matter. And we have customers ask us to sign business associate agreements pretty frequently, particularly because we do external vulnerability scanning as well. But it's not based on whether we're helping you with, your security related goals. It has to do with the sharing of information. So if you are not disclosing any of your patient information or giving any level of access to your patient information to that security company, then, no, you do not need a business associate agreement. The the basis for it is the data sharing and access, not necessarily the services being provided, if that makes sense.

Great. And another kind of clarification on where an entity falls in the business associate, and I understand there will be variance depending on how they're being used.

But where would a law firm come down as whether or not they're a business associate?

So, you know, in the malpractice attorney space, most malpractice attorneys are business associates.

If they needed to defend you against a malpractice suit against a patient, they're they're I don't I don't really see a situation, and I'm not a lawyer. It's like, I couldn't say for sure, but I can't reasonably see a situation where a malpractice attorney could defend a lawsuit against a patient without having access to the treatment, the the patient's PII and PHI. So if they are going to, as a part of their service, have access to patient information, then they would be a business associate.

Law firms can also be complex in the sense that most law firms will not specifically, deal with with, with health care providers. They'll they'll have other parts of their organization where they do other types of law. And in those cases, they can they can, separate their they can isolate the health care component of their network. So the only the people that deal with malpractice have to be HIPAA compliant. But generally speaking, malpractice attorneys and our our business associates because they would have more than just incidental access. And to explain that real quick, the incidental access is like a janitor. If you have a janitor or a custodial service that comes through your building, maybe you have PHI laying out on desks or there could could be some type of information out in the open that they could come across.

The type of service they're providing does not require access to that in any way that they would ever encounter that would only be incidental. It wouldn't be, necessary as part of their service. So, that wouldn't necessarily be a business associate relationship either.

When you're going to, by definition for the services being offered, give access to an organization to information that would generally require business associate Awesome.

Great clarification.

We're getting a variation of the same question, and so I'm gonna do my best to kinda summarize and put a few a few of your questions into one. So as you mentioned during the presentation, Ryan, monitoring and tracking VA compliance is not an easy feat, and it relies heavily on the cooperation of business associates.

And so if if some due diligence is done and a covered entity reaches out to all their business associates, whether it be a survey or requiring some kind of evidence of a risk analysis, risk management plan, and they don't get a good response.

Are they are they better off to have done that or is that going to increase their liability in any way that they didn't follow through or if someone provides evidence and is lacking? Can you kind of just talk about the situation of you know, how far should they go? Is the OCR, you know, going to look down on it if they don't throw the kitchen sink at it?

That's a very, very good question. And it actually applies not just to the question of business associates in your monitoring, but all of HIPAA in general.

And the answer is ignorance is the worst possible scenario that you can put yourself in.

Knowing is always better than not knowing. And ignorance is not defensible in any area of HIPAA. As a matter of fact, there's there's penalty categories called unknowing, reasonable, will from neglect, corrected, and will from neglect, uncorrected. Will from neglect is the is the worst categories of of fine structures in HIPAA, and those are the ones you wanna avoid. And HHS and OCR have consistently said ignorance is automatically qualifies you as willful neglect. So if you are monitoring your BAs, they give you on, you know, not reasonable assurances that they're doing the right things.

That still reflects better on you because you were exercising due diligence. Even if you didn't do anything, that's still better than not knowing.

One of the key phrases in HIPAA that I submit said earlier is that you know or reasonably should have known. So since there's a requirement that you're supposed to check, you should have known. And if you don't know, then you're in willful neglect. You didn't even try.

So yeah. I get that. People ask that a lot that they're they don't wanna expose their liability by finding out information that they they then have to take action on. But finding it, knowing information, and not doing anything about it is still it's not good, but it's still better than than, blatant ignorance.

Great. That's a great answer, and glad you brought in that it really applies to all of HIPAA compliance because I think that is a common question that we see in webinars and in customer interactions.

So another question that, you know, someone's curious to get your take on. There was one of the most recent OCR settlements that came out and came out with the corrective action plan. The corrective action plan does not include anything about business associate agreements, business associate laundering.

What what's your opinion on why the OCR hasn't been including those in some of the corrective action plans?

You know, I'm not sure which case, they're asking about. And I without more specifics on, I really I don't know why they wouldn't include that. They do they have, talked about the importance of a business associate monitoring. So I I I just really couldn't answer the question.

I don't know the case. I don't know if the if it was, dealt with in a business associate was the cause of the breach or why they wouldn't have done that as part of their action plan. Unless maybe the covered entity had done other things that they were getting fined for, but their business associate monitoring was not the problem. And then they yeah.

I I don't know without more specifics.

Okay. No problem.

And just as we wrap up, we only have a minute or or two remaining. And once again, this was a question that we commonly saw that, you know, outlining kind of what your organization is doing for BA monitoring or compliance and your first steps and kind of asking to get our opinion. So I just wanna wrap up and have Ryan kinda give his take on, you know, what would you say a general good first step looks like, you know, for organizations of kinda any size as far as business associate monitoring goes?

Specifically monitoring?

Or implementing business associate agreements.

Identification is always the first step. And to give an example to that, I dealt with an organization that had about fourteen hundred business associates, and they wanted I mentioned earlier about the the risk buckets that we did with the survey. It's the same organization. And during that process, we discovered that almost four hundred of their business associates had either gone out of business or been acquired by other organizations.

So they didn't even they were out of date, and they had they thought they were still providing information with these people, and they didn't follow-up on the termination clauses in any of the agreements with almost four hundred organizations. So the first step is identifying who they are and keeping an accurate list of who your business associates are because then you at least know who to start getting agreement signed by, who to contact if you're gonna do some risk profiling, or have them participate in a management, program or a compliance program. You can't do anything until you know who they are.

And I always tell people to look at your, your accounts payable because you're you're, you're giving these people money, so that's a good place to start. And then go through your accounts payable and and use a VA decision tree to determine which ones of those service providers, could be business associates, and then start reaching out to them. See if you have agreements in place that are up to date. And if not, start reaching out to them and then go from there.

Awesome. Well, we wanna thank everyone again for your attendance.

We'll send out the recording in the next few days, and we you know, if you have any questions and would like to further discuss how we can help or, you know, trying to identify some of these business associate agreement issues or monitoring problems, feel free to reach out to us. And we appreciate your attendance, and we'll look forward to the next webinar.


Get the Guide to HIPAA Compliance
Download
Get a Quote for HIPAA Compliance
Request a Quote