So you know that you and your third party vendors need to handle information safely or else you could get some serious fines for HIPAA violations, especially in the field of addiction treatment marketing.
To motivate your vendors and marketers to take this issue seriously, they need share some of the responsibility and legal liability for handling your patients' information correctly. To do this, you need a Business Associate Agreement, or BAA.
A BAA, or Business Associate Agreement, is an agreement between a business and the third-party organizations that they have a business relationship with. Within the wording of the regulations concerning BAA's, they are officially called "business associate contracts," but in common speech, they are almost always referred to as BAAs. A BAA can either be a separate document, or it can be written into the overall contract between the health center and the third-party vendor.
These agreements create a shared liability between the center and the vendor in question, and like most contracts, if one party violates, they may have to make reparations with the other party. They mostly cover how and when third party vendors, like marketing companies, should handle PII (personally identifying information) and PHI (personal health information). Most of them directly cite specific passages of HIPAA that are likely to come up throughout the vendor's work.
A typical BAA will include the following:
Some items to watch out for that can't be in your BAA are terms that create unlimited liability or unrealistic timelines for reporting a breach. It's always important to have a lawyer look over your agreement to make sure the contract is viable and enforceable. Check here for a sample business associate agreement. These terms MUST be in writing, and signed by both parties.
Any individual, like a self-employed contractor, or entity, like a marketing firm, that performs activities for the "covered entity," meaning your health center that requires the business partner to access PHI needs to sign a BAA.
Many vendors can fall under this category, such as:
Once a BAA is in place between the parties involved, employees under each party are also covered. Every individual employee does not need to sign the BAA. For this reason, anyone handling PII and PHI needs to have a clear, in-depth privacy policy, and make considerable efforts to ensure all employees are familiar with it.
Employers in this scenario usually have all of their employees take a HIPAA training and/or sign a waiver regarding the handling of personal information. Some even send teams or team leaders to get certified by programs that focus on HIPAA safety, like BHAP's addiction treatment marketing program.
There are a few notable exceptions to these BAA guidelines, however. For instance, law enforcement may request PHI under certain circumstances, but are not considered business associates, and therefore do not need to sign a BAA.
The Department of Health and Human Services (HHS) also specifies these situations as exceptions to the rule of needing a BAA to share liability for transfer of PHI:
The main takeaway here is that everyone shares a responsibility in some capacity to handle PHI and PII securely, whether they are officially on the BAA or not.
HIPAA compliance can be slippery to maintain sometimes, for two main reasons.
The first is that the act was not explained fully to those it concerned when it was first put into effect, on top of enforcement being low, leading many to believe that several parts of HIPAA were not that serious.
The second is that ways of communicating are constantly evolving. Digital communication, cloud storage, and even electronic records within a facility all need to be secured at all times, and deployed appropriately.
Several recent developments deserve your attention.
HIPAA violations are usually handled by the Office for Civil Rights, or the OCR. They started picking up speed in enforcing HIPAA regulations in 2014 and 2015. The OCR has begun performing sweeping audits, though their requirements are not identical for each audit.
Some covered entities (meaning health centers, mostly) are being asked to provide privacy policies and procedures, and others are being audited down to their individual security rules and measures, such as their breach notifications. Another development from the OCR is that they have released a fact sheet regarding ransomware (or any malware) as it relates to HIPAA requirements.
The OCR declared that the presence of malware on any covered entity or business associate's computer systems should be considered a breach of HIPAA, and should be treated as such. They also suggested that BAAs be updated to include requirements for business associates to make sure that covered entities are appropriately notified after possible cyberattacks, within a reasonable amount of time.
Recent settlements regarding HIPAA violations have shown just how much security breaches can cost. Settlement have been reached with $2.75 million from the University of Mississippi Medical Center, $2.7 million from with Oregon Health & Science University, and $2.2 million from New York Presbyterian Hospital. The first time ever that a business associate was brought to task resulted in Catholic Care Services settling with the OCR for $5.55 million after a smartphone was stolen, compromising hundreds of patients' PHI.
Cloud storage is internet storage of data, as opposed to storing data on a physical device, such as a computer's hard drive or a portable flash drive. The companies or individuals hosting this storage are known as cloud service providers (CSPs), and need to be included in a BAA if they are handling PHI for your health center. Also, in order to make sure that this critically important information is available, it is recommended that you implement a Service Level Agreement.
SLAs for cloud storage services usually include:
While cloud storage has benefits like better backup and easier accessibility between those authorized to access your center's data, there are security challenges to be considered, too.
With the HITECH Act in place, requiring health centers to keep electronic health records for the benefit of both patients who need to access their information and to improve healthcare interoperability, some security risks arise.
Interoperability refers to the ease of transfer of medical information between healthcare providers and insurance providers. Electronic records can be transferred much more quickly than paper records.
However, HIPAA disclosure requirements remain the same. While paper disclosures often required a signed form or some other security check to access, emails and digital communications are not being treated with the same care.
"Reply-all" mistakes are made in email chains, information can be faxed to the wrong number, permissions to access PHI may not be set up correctly.
It can get messy. You may want a professional to come in and audit your communication procedures. And again, getting certified can help.
HIPAA violations are actually quite common, unfortunately. Many medical organizations do not even realize they are violating HIPAA.
Some things that seem normal or like they make sense are still in violation of Title II of HIPAA, the clause concerning unauthorized access to PHI, or de-anonymization of data containing PHI.
For instance, all of the following are common violations:
However, getting caught doing these things can have dire consequences. Fines for violations can be as much as $50,000 per piece of mishandled information.
As it was listed in the section on recent OCR actions, legal settlements can reach millions of dollars. Mistakes can be discovered in audits of a health center, or due to complaints brought up directly by those whose PHI has been compromised.
Having a BAA signed and in place is not very useful if the covered entity is not monitoring activity from time to time to make sure its provisions are being observed. It also is not much help to have your business associates following proper protocol of your own staff does not know how to handle health-related data.
While BHAP is not a legal office, and this article is not official legal advice that will fully protect you, some general best practices are as follows:
And we cannot emphasize enough that getting certified both teaches you and your staff how to employ good HIPAA protocols and proves that you know what you are doing to anyone you may want to engage in business with. This is especially sensitive and important for addiction treatment marketing. Here at BHAP, we have the perfect certification programs for just that.