The management of Business Associate Agreements is a high risk aspect of health care information security that many providers may underestimate. Saud Juman, CEO and founder of PolicyMedical, has developed technological solutions for organizing and securing these documents in order to avoid data breaches and ensure compliance. DOTmed News asked him to explain the serious nature of this issue and the best ways to handle it.
HCB News: First off, what are Business Associate Agreements and why are they important?
Saud Juman: Business Associate Agreements (BAAs) are contracts between health care providers and vendors such as health insurance companies that store personal health information (PHI) and “business associates” who perform functions that give them access to protected data. These could be vendors of many sorts, including attorneys, accountants, consultants, IT firms, outside pharmacy firms—anyone who could have direct or indirect access to medical records. Failure to manage data privacy risks can lead to violations of both HIPAA and state privacy laws. So BAA control and management is vital for health care organizations because mismanagement leaves them exposed to fines and more importantly possible leaks of PHI.
HCB News: What are HIPAA guidelines about how data need to be protected?
SJ: The HIPAA Privacy Rule does allow hospitals and health care institutions to share PHI with business associates, but only for the explicitly intended purposes of contracted services. Any use of the information beyond that constitutes a breach in PHI and a violation of the Privacy Rule for which the original “covered entity”—or health care contractor—is the liable party. The guidelines are very strict and violations can cost millions per. This is a real financial risk, and it is matched by the damage that such problems can cause to a hospital and its brand reputation. As a result, health care institutions have to carefully monitor vendors they contract and the assurances they receive from them.
HCB News: Don't Business Associates Agreements already remove liability?
SJ: In the past, health entities that provided PHI to partners could remove their liability for non-authorized disclosure of data by signing Business Associates Agreements that stipulated the third party’s responsibility to protect this information. But changes in the HIPAA rule have forced covered entities to assume responsibility to ensure that business associates are taking proper action to protect this data. So BAAs alone no longer suffice to protect them from exposure. They need to keep track not only of the myriad of contracts they have with vendors, but the compliance records of each. To keep up with the complexities of these tasks, the old methods of managing vendor contracts will not suffice: niche cloud-based compliance systems using the latest workflow and security tools are now necessary.
