HIPAA-HITECH Business Associates Agreements (BAAs) Should Dissolve
In a recent report on the healthcare industry I was surprised to learn the amount of Business Associates (BAs) that are side-stepping their roles and responsibilities with handling Private Health Information (PHI). In essence, most BA’s are minimizing their potential exposure to risk and penalties by simply omitting the necessary language from their HIPAA-HITECH Business Associate Agreements. Here is the issue, as I see it. Years ago the Department of Health and Human Services (HHS) had no authority to regulate anyone other than covered entities (CEs) and because of this, established the idea of a business associate agreement (BAA) to impose contractual obligations on the wide range of service providers to the health care industry. While that imposed good reasoning for covered entities to put the BAAs in place (not to mention the HHS mandates) with their business associates, it somewhat established a contractual negotiation that most covered entities are now desperately trying to change.
As HIPAA-HITECH have changed over the years and most recently with the introduction of the Omnibus Final Rule, I view covered entities and business associates on a common and level playing field with private health information – to a certain degree. That being said, in my opinion, the requirements of HHS still enforcing the need for business associate agreements is ridiculous! Shouldn’t it simply be a requirement for everyone (BAs and CEs) to maintain HIPAA-HITECH compliance and exercise due diligence in the protection of private health information?
One glaring issue in my mind deals directly with the “Breach Notification Requirement” included in the omnibus regulation. HHS makes it painfully clear that a covered entity is responsible if their business associate has a security breach — though these same BA’s are bound by a legal obligation (independently from the CE) to maintain HIPAA compliance. How does this even make sense? How is an organization to modify their current business associate agreement to address this?
HHS Has a Chance for Real Change
HHS personnel have explained their rationale many times with regards to the business associate agreements, and quite frankly I’m still not sold on the idea. Is it still necessary for covered entities and business associates to create an agreement on the “terms & conditions” of which private health information is handled? Are they not BOTH required to meet HIPAA compliance? If you ask me, one of the main concerns that a business associate agreement is supposed to address is ambiguity, but an agreement of this sort still being required is counter-intuitive.
It has recently occurred to me that HHS has an excellent opportunity to adopt from their friends at the Department of Defense (DoD). The DoD has utilized DIACAP (DoD Information Assurance Certification & Accreditation Process) for years now as their compliance mandate and formal risk acceptance strategy. With DIACAP, the concern resides with the storing, processing, handling, and transmission of any DoD-related data, much in the same way that HIPAA deals with PHI. Here is where the adoption should take place. DoD agencies are responsible for enforcing DIACAP requirements throughout their own organization(s), as well as any outsider (commercial entity) providing software, hardware, or solutions to the DoD, and any inter-connection between the DoD and outside entity. If an outside source cannot meet the requirements of DIACAP, they simply are no longer approved for continuing to provide business services to the DoD until such requirements are met. In addition, when dealing with an inter-connection between DoD and commercial entities, a contractual agreement (many times SLAs, MOAs, MOUs) are formed to outline the information assurance (IA) controls that are required to be met by the outside entity, and the IA controls that fall strictly under the purview of the DoD. This would be a rather simple solution to the re-work required for these silly business associate agreements. Hold the covered entity ultimately responsible (which is currently the case), document where security rule requirements are potentially a shared responsibility, and finally, any business associate failing to meet the requirements of the HHS is simply removed from the capability of being an official “business associate”.
As with most compliance requirements, there is still a great deal of clean up that needs to occur with regards to HIPAA-HITECH and Omnibus Final Rule. While DIACAP may not be a perfect solution, it does clearly articulate the roles and responsibilities of the parties involved in the processing, storing, handling, and transmitting DoD data. I think assigning the covered entity overall responsibility of the private health information (thereby making them the DoD for the sake of this argument) and charging the business associate (outside entity) with the requirements of proving and maintaining HIPAA compliance would be an excellent modification to the Final Rule and remove the guesswork associated with drafting a business associate agreement.