BAs and HIPAA: Who they are, how to assess them and the importance of compliance structure

The relationship between a provider and a business associate can be a complicated one, especially when it comes to cybersecurity concerns. To that end, HIPAA lawyers, speaking on a panel at a healthcare security conference this week, highlighted what providers should look for when signing an agreement with a BA.

The attorneys, Adam Greene of Davis Wright Tremaine, Amy Leopard of Bradley Arant Blout Cummings, and Jim Wieland of Ober l Kaler, went back and forth on a range of topics during the event in the District of Columbia.

Here's what they had to say:

Who is a business associate?

"This seems like a simple question, but still can be a pretty big debate sometimes," Greene said. "We continue to see some challenges in this area."

Greene said one of those hurdles is the changing relationship between health payers and providers. There is increasing interaction between accountable care organizations and similar entities, especially when it comes to increased data sharing. That sometimes will lead to payers saying there needs to be a BA agreement.

Healthcare providers generally are not considered to be BAs of payers, Greene added. "No hospital wants to become subject to a health plan's security control."

Leopard added that changing roles causing providers to move more toward population health management, risk management and value-based purchasing is making them look more like health plans, so there's a lot of blurring of the lines.

Providers dealing with a commercial accountable care association or health plan insisting there needs to be a BA agreement can look to "the granddaddy of the ACOs"--the Medicare Shared Savings Program, Greene said.

"In the Medicare ACO rule they have a whole discussion of how HIPAA applies to the information sharing between Medicare, which is just another health plan, and how HIPAA allows Medicare as a health plan share information with the ACO network for purposes of their healthcare operations," he said.

Why not just sign it?

"Why don't I just sign it anyway," asked Wieland of the other panelists.

"Post-omnibus, I think there's become an attitude 'if it moves stick a business associate agreement on it,'" Greene said.

However, that isn't the best way to approach it, he continued.

"If something goes wrong it's bad enough having to pay your own breach bills, but someone else's breach bills under indemnification," Greene said. You may disagree whether there's a breach and they may think otherwise, so it's not necessarily a good thing to be a business associate."

The importance of compliance structure

It is very important to understand a BAs' compliance structure, especially whether the chief information security officer should be reporting to the chief information officer and whether that's a good compliance structure or if it's what one might call a conflict of interest, Greene said.

It's a big debate among covered entities themselves, but is that something to look at for BAs? he asked.

"There's some potential for a conflict, so you should think about that and think about ways to manage it and put safety valves in place," Leopard said.

Looking at not just an organization's policies but its structure can also give you an idea of its culture, Greene said.

"Is the CISO a low level person who doesn't have much sway in an organization?" he asked. "Or is it someone with really high authority in an organization?"

Leopard also noted a recent report from the House Committee on Energy and Commerce that said security concerns too often are playing second fiddle to maintaining network operations in the Department of Health and Human Services.

The committee recommended agency CISOs not report to the chief information officer; instead, it said that the CIO and the CISOs of each HHS operating division be part of the Office of the General Counsel.

"So be careful what you ask for," she said.

How do you assess a BA?

The most important aspect to assessing a BA is understanding what private health information they possess, where they keep it and who else is looking at it, according to Wieland. If you don't have an understanding of that, he said, you won't know what you need to do in terms of security controls.

A classic example, he added, is the fact that more non-healthcare provider vendors are offering services to covered entities, which requires direct access to things like electronic health record systems. In many instances, they're using a third-party data center, and that's where you start to lose control in terms of writing the rules and even knowing what the PHI is.

The word does not end with HIPAA, Wieland added; there are other guidance and state laws to consider. In addition, HIPAA does not require things like encryption, which should lead to the "impulse to look for more from a BA in today's environment than is offered by HIPAA and its requirements."

To flesh that out, groups should consider third-party assessment tools like NIST and HITRUST, as well as the creation of things like well-developed questionnaires requiring the BA to disclose everything about their security, Wieland said.

"It requires a real knowledge base on behalf of both parties, a willingness to talk and a willingness to be flexible," he said.

Leopard also noted that having some level of security review in front of you when negotiating an agreement is extraordinarily helpful.

"If I know the basic security profile as vetted by the covered entity and the data elements that are being share you can figure out very quickly what to give on and what to push on," she said.