Getty Images
Crafting Successful Business Associate Agreements, Breach Response
The latest Healthcare Strategies’ podcast sheds light on needed elements for a successful business associate agreement, including breach response, with Impact Advisors’ Shefali Mookencherry.
The healthcare sector relies heavily upon its relationships with third-party vendors and business associates, which are critical to ensuring uninterrupted patient care. However, given the vast number of these relationships, providers can also inadvertently expand their threat landscape and create potential issues with HIPAA compliance, especially in the event of a breach.
For example, of the 41.4 million patient records breached in 2019, more than 21 million were compromised by the hacking incident at the American Medical Collection Agency – a healthcare business associate.
In light of the risks posed by business associates, HealthITSecurity.com recently sat down with Impact Advisor’s Shefali Mookencherry, Principal Advisor and Solution Leader of Information Security, Privacy, and Disaster Recovery, for the latest Xtelligent Healthcare Media Healthcare Strategies’ podcast.
To Mookencherry, the key to shoring up vulnerabilities posed by business associate relationships is a strong contract, or the business associate agreement (BAA). Required by HIPAA and the HITECH Act, the legal contract is designed to keep vendors accountable for the patient data they use, store, and share.
“But one thing many folks fail to understand about these business associate agreements is that it doesn't really guarantee that covered entity is going to be protected from any business associate related breaches,” Mookencherry said. “But it’s a contact that must be in place.”
“It’s a HIPAA requirement that these agreements describe what is permitted and required for protected health information, its use and disclosure by the business associates who utilizes the covered entities protected health information,” she added.
Through the BAA, business associates are required to detail whether they’ll use their template or the covered entities’ for the use and disclosure of PHI, as well as what’s permitted under their contact and in compliance with HIPAA, she further explained.
Covered entities work out these requirements during the contracting process, which will include agreeing to make reasonable efforts to limit the PHI disclosure to the necessary minimum amount. The amount is determine by how much data will be needed to perform the work on behalf of the covered entity, according to HIPAA. Mookencherry also explained the contract will also need to include details about the need for disclosures, among other aspects.
“One of the key things here is to make sure that the business associate takes reasonable steps to address any breaches or violations on the subcontractors. Business associate agreements make sure the subcontractor knows that they are also being held liable for HIPAA requirements and compliance,” Mookencherry said.
When it comes to data breaches, Mookencherry stressed that covered entities often make critical errors when it comes to protecting the enterprise with its BAA. Security is more than checking a box, making it crucial to add sections to the contract to protect the organization from liability in the event of a breach of PHI.
Typically, BAAs should include sections on how many days a business associate will have to notify the covered entity of a breach. Mookencherry also noted that the contract should be designed to safeguard both parties, which may take serious negotiations. At the end of the day, the BAA must be enforceable by the covered entity.
“You have to find a balance as a covered entity with what you feel comfortable, as far as accepting risk,” Mookencherry said. “Most covered entities should have a statement or a policy or procedure that states that here's how we accept risks, and here's how we communicate risk, talking specifically about security risk.”
“But the piece that's lacking is enforcement, enforcement of each of those provisions between a covered entity and a business associate,” she added.
Listen to the full podcast to hear complete insights into how to handle a business associate breach, as well as the biggest elements covered entities get wrong when crafting business associate agreements.