October 2018

HIPAA Challenges: Health Care's BAA Breach Readiness Quandary
By Kathleen Kenney and Greg Waldstreicher
For The Record
Vol. 30 No. 9 P. 8

For today's health care organizations, data breaches and security incidents are more a matter of "when," not "if." A 2018 cybersecurity survey by Black Book Market Research found that 90% of health care organizations have experienced a data breach since the third quarter of 2016—and nearly 50% have had more than five.

And the numbers for 2018 aren't any better: 1.13 million records were exposed by 110 breaches in the first quarter alone.

When a breach incident is identified, organizations must respond swiftly and meet strict notification windows dictated by HIPAA and state laws, as well as the contract terms outlined in business associate agreements (BAAs). This makes it more important than ever that executive suites deploy proactive strategies to ensure breach response readiness.

A step-by-step action plan that ensures required notification timeframes are met is a sound foundation to build upon.

Covered entities (CEs) must enter into a BAA with any person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of or in service to a CE. These agreements provide the CE and the Office for Civil Rights (OCR) with satisfactory assurance that the business associate (BA) will safeguard the PHI in its possession and be prepared to take the necessary steps to comply with HIPAA and the BAA should a breach occur.

Effective oversight of BAAs plays an important role in response readiness as the terms of these contracts are often more stringent than the regulations themselves and drive many postbreach processes. Yet, strategies for effectively managing BAAs have not kept up with their escalating numbers. Many health systems have amassed thousands of BAAs, yet health care executives often lack a transparent view into the number of agreements that exist, where they are located, and the specific terms of each—until an incident occurs.

From a HIPAA compliance and reputational standpoint, this is a big problem.

In recent years, the stakes surrounding BAA compliance have become increasingly high amid OCR-launched investigations that prioritized review of these agreements. In some cases, the investigations produced sizeable penalties. As a result, oversight of BAAs is now paramount. The status quo of BAA management must morph from reactive response to a well-honed strategy that draws on the promise of automation and technology-enabled workflows to ensure readiness.

BAA Basics
HIPAA requires that CEs and BAs enter into a written agreement that ensures PHI will be protected in accordance with HIPAA guidelines. As noted above, an organization qualifies as a BA if it "creates, receives, maintains, or transmits" PHI "on behalf of" either a CE or another BA. BAAs also detail timeframes for breach notification and response, or the amount of time allowed for BAs to notify CEs of a breach incident.

Identifying vendors that qualify as BAs is not always easy. The lines can get blurred because not all outside vendors or service providers working with a health care organization qualify as BAs under HIPAA. While rare, some exceptions exist such as landscapers, janitors, and service contractors (ie, paper suppliers). Examples of typical BAs include data and analytics software providers, billing companies, and medical software providers.

It is possible for a vendor to transition from an exempt service to one that qualifies it as a BA. For example, a company that provides teleconference lines for CEs may expand its offerings to include screen-sharing and recording services.

According to a Manatt report, to ensure compliance, many health care organizations enter into BAAs with all vendors regardless of whether they exchange PHI, which increases the number of contracts that exist across an enterprise.

Adding to the complexities, some organizations serve as both CEs and BAs. For instance, Amazon Web Services must sign BAAs with all clients that are storing PHI in its cloud. In that case, Amazon is the BA. However, Amazon recently purchased the online pharmacy PillPack, creating a CE within its umbrella. Now Amazon must manage its agreements from two different HIPAA perspectives.

Because BAA management is primarily a manual function in today's health care environment, these types of scenarios increase the complexities of categorizing BAAs and maintaining breach response readiness from both perspectives.

The BAA Challenge
Consider this typical process flow as it relates to BAAs when a breach occurs:

A large health system contacts its attorney, who requests a copy of all BAAs to begin a sizeable data extraction process. Along with identifying the breach notification terms of each agreement, the attorney must pull out such key elements as indemnifications, points of contact, and state law stipulations.

Those overseeing the breach response must then create a data locker and manually track down all BAAs in existence—often equating to thousands of documents spread across facilities, departments, and owners.

Once all BAAs have been identified and uploaded, the project manager shares the database with the organizational attorney. Because the terms of each BAA vary widely, a manual review of each agreement must be conducted to extract the needed information. This typically takes between one and two hours per agreement. Therefore, it is not uncommon for several weeks to pass before completing the initial data mining process, opening the health system up to greater risk of noncompliance and exposure.

A lack of visibility into BAAs is a common issue across the industry. At the most basic level, the Manatt report found that large organizations face significant challenges to keeping an accurate count of BAAs. Rapidly growing consolidation trends in the health care sector exacerbate the situation with many organizations lacking a centralized method of managing agreements and the resources needed to keep pace with their growing numbers.

Extracting data in the aftermath of a breach incident can be tedious, costly, and stressful. The language contained in BAAs has become significantly more complicated due to a fluid and evolving regulatory environment as well as the vital role the patient protection agreements play in an overall security strategy.

As a result, the obligations within each agreement are different. The costs of manually parsing the information needed to ensure contract terms are followed across thousands of BAAs can add up fast—especially since the average attorney fee sits at more than $250 per hour for document review alone. This fee does not include any strategic oversight or advisory from an executive-level attorney. For example, an entry-level attorney may be used for initial review and extraction, but attorneys with much higher rates—upward of $700 per hour—may also review the work and provide oversight and direction.

With the help of technology, health care organizations can rely on counsel to advise on the incident and mitigation steps with a firm understanding from the start of the organization's obligations under the BAA.

In addition, many agreements are missing critical breach response information such as contact points at various organizations or their preferred method of outreach. To achieve a state of readiness, health care organizations must get ahead of this information curve, yet many executives find the process cost prohibitive or are reluctant to expend hefty resources. Consequently, breach response processes are unnecessarily chaotic at a time when the value proposition of order is of the utmost significance.

A Better BAA Breach Readiness Strategy
To improve the outlook on breach readiness as it pertains to BAAs, health care organizations would ideally implement a cost-efficient method of increasing visibility into these agreements across the enterprise. The right infrastructure working in tandem with strategic ownership and oversight can help overcome barriers associated with fragmented vs centralized management, knowledge gaps regarding what is contained in each BAA, and timely access to insights that can power breach response strategy.

Automated, central management of BAAs is an important consideration that can promote much-needed process improvement. Like many areas of health care, the right technological framework can provide the transparency needed to create efficiencies, expedite response, and fill critical knowledge gaps such as an accurate count of existing BAAs and a complete list of respective points of contacts.

Once compiled in a central repository, artificial intelligence can be used to extract actionable insights such as the breach notification timeframes. Together, these technology-enabled processes overcome cost barriers and ensure timely access to needed information when a breach occurs.

In addition, technology can power proactive breach readiness processes such as regular BAA audits. At a minimum, executives can identify key terms to better understand organizational risk by answering the following key questions:

• Which BAAs are missing points of contact, phone numbers, or mailing addresses?
• Which agreements require notifications within seven days?

When it comes to data breaches and security incidents, health care organizations are up against a formidable enemy. Readiness and efficient breach response processes are critical to achieving the best outcome for health care customers and patients, with effective BAA management an important part of the equation.

Health care executives are wise to prioritize process improvement in this area by leveraging technology to move response from reactive to proactive while time is still on their side.

— Kathleen (Katie) Kenney is a privacy and security attorney at Polsinelli PC in the firm's Chicago office who specializes in HIPAA and international privacy issues, including the General Data Protection Regulation.

— Greg Waldstreicher is the founder and CEO of PHIflow, and the cofounder and former CEO of DoseSpot, where he worked at the forefront of the ePrescribing market for nine years. Under Waldstreicher's leadership, DoseSpot licensed its software-as-a-service ePrescribing solutions to 175 health care software companies across the medical, dental, hospice, and digital health markets.