Applicable Provider Types: All

Is Your Entity in Compliance?

The Health Insurance Portability and Accountability Act of 1996, as modified by the Health Information Technology for Economic and Clinical Health Act of 2009 (HIPAA) requires Covered Entities (CEs), Business Associates (BAs) and Business Associate subcontractors to enter into written agreements governing each party’s rights and obligations with respect to the privacy and security of patient Protected Health Information (PHI). In a previous Ounce of Prevention, we discussed the required elements that must be contained in a Business Associate Agreement (BAA), but several of those clauses can be altered, and your BAAs may contain additional optional clauses that may affect rights and obligations, particularly in light of a breach or security incident. One example is the period required to notify the other party with respect to such breach or security incident. Do you know what your BAAs actually say?

In the event of a breach or security incident, CEs, BAs and subcontractors must be prepared to act quickly and understand their respective obligations to report to other affected parties. Breach of a BAA can lead to costly litigation and failure to identify timeframes and financial obligations can be costly to all parties.

Keeping a BAA tracking chart will provide your organization with a one-stop-shop to review key terms, reporting time frames and additional obligations to each customer or partner, or by each vendor, in one place and can save critical time searching for the right BAA in the event of a time-sensitive breach or incident. This could be particularly essential if a breach occurs involving a BA or subcontractor that has contracted with several CEs that may require prompt notice to each contracted CE.

How to Confirm?

When conducting your BAA audit, create a spreadsheet that includes references and key terms for each customer or vendor, including:

1. timeframe to report a security incident;
2. timeframe to report a breach;
3. whether the BA will support notice to affected individuals in the event of a breach (including paying for notice);
4. indemnification and/or limitations of liability;
5. cybersecurity insurance requirements;
6. definition of a security incident (some BAAs may carve out routine pings and scans);
7. whether BAs or subcontractors have the right to de-identify and/or aggregate data; and
8. other timeframes, such as responding to accounting of disclosure requests.

Once you have a BAA tracker in place, remember to periodically review and add to it each time you enter into a new BAA. You can also use the tracker to help create “fallback” terms to make a negotiation go faster.