How to Keep BA Agreements SimpleAttorney Gerry Hinkley Discusses HIPAA Omnibus Challenges
When preparing business associate agreements, healthcare entities should not make demands on their vendors with provisions that go beyond specific HIPAA privacy and security regulations, says attorney Gerry Hinkley.
"The one thing that we've seen with business associate agreements is that it's an opportunity for overloading and that's inappropriate," says Hinkley, a partner at the law firm Pillsbury Winthrop Shaw Pittman, in an interview with Information Security Media Group (transcript below). "The business associate agreement ought to be legally compliant but it ought not be the catch-all for obligations you wouldn't expect to find there."
The HIPAA Omnibus Rule, which went into effect last year, holds business associates directly liable for HIPAA compliance. But some covered entities have gone overboard in making a wide assortment of demands for excessive details in business associates agreements, Hinkley contends.
In the interview, Hinkley also discusses:
- The biggest changes and challenges that HIPAA Omnibus has brought to business associates;
- The biggest mistakes he sees business associates and covered entities making in their HIPAA Omnibus compliance efforts;
- How organizations should prepare for a possible HIPAA compliance audits by the Department of Health and Human Services.
Hinkley is chair of Pillsbury Winthrop Shaw Pittman's healthcare industry team based in San Francisco. He's practiced law in the healthcare industry for more than 35 years, with a focus on privacy and information technology. Hinkley is also a member of the leadership council of the eHealth Initiative and chair of the legal task force of the Healthcare Information and Management Systems Society.
MARIANNE KOBALSUK MCGEE: It's been more than a year since HIPAA Omnibus first went into effect in March 2013. What is the status of business associate and covered entity compliance?
GERRY HINKLEY: There is a lot of activity among our clients, particularly those that are business associates. What we've been advising generally is, it's a good opportunity because there is a final compliance date in September of 2014, which is coming up, to pay attention to business associate contracting in particular. It's given us an opportunity to help clients clean up their BA contracting forms and systems, which have become unmanageable for many BAs because they have to manage so many different forms. The larger business associates, say big companies that have a lot of healthcare covered entity clients, have taken this opportunity to establish template business associate agreements that they want to ... enter into. That's a major trend that we're seeing.
We also are seeing that the industry is a little bit behind in compliance. Because of the September 2014 deadline for entering into [an] Omnibus Rule complaint business associate agreement, if your underlying agreement hasn't been amended in the interim, which is very much the case for a lot of business associates, now it's a little bit of an administrative hassle for them to manage it. Particularly those business associates that have lots and lots of covered entity clients.
MCGEE: What are the biggest changes you've seen in the last year in how business associates and covered entities are approaching health data privacy and security?
HINKLEY: The biggest change we are seeing is that there is actually recognition of an obligation of compliance. The big change in [HIPAA under the] HITECH Act, which was passed in 2010, and the Omnibus Rule, which implemented that statute last year, is that business associates are directly liable under HIPAA for violations of the rule, including data breach [notification requirements]. This has created a sense of greater need for a compliance initiative across business associates; that is, business associates are finally realizing this is risk. What we find is that in those situations, we're not necessarily talking to an IT department or another business unit that is handling data. Our direct client contact may be somebody in risk management who is trying to make certain that the company has a sensitive approach to HIPAA compliance. That is a sea change, because when HIPAA was initially adopted over a decade ago this became an IT problem. It also became a budget problem for a lot of covered entities and business associates, because it was another line item that had to be funded. Some organizations stepped up, had the budget and implemented comprehensive compliance programs [while] involving senior management all the way up to the board. But lots of business associates and covered entities did not, and that's the change we're seeing now - compliance programs for organizations, particularly business associates.
MCGEE: What are the biggest compliance struggles that BAs are still having with HIPAA Omnibus?
HINKLEY: It is incidental to the Omnibus Rule, but it actually has always been under HIPAA, and that is the need to conduct appropriate risk, privacy policies, physical and technical security assessments. These are difficult things to do, and they're expensive. The result of them often is that you see situations that need to be corrected. That is the largest challenge. Now recently, the government has published a tool kit for risk assessment. I think it's ironic that [tool] is coming out now, 13 years after covered entities and business associates were obligated to start doing this. Finally the government has realized this is a big problem, and they are trying to provide some help. We just started getting into the tool kit, but I think it is going to be a very useful asset for two purposes. One is to help get your risk assessment organized, but also to understand the enforcement mentality from the government. This is essentially the standard they are putting out there; if you get audited this is what the government is going to expect you to have done since they recently published it.
Dealing with OCR
MCGEE: When it comes to dealing with the HHS Office for Civil Rights, which enforces HIPAA, what sort of advice do you have when it comes to avoiding scrutiny?
HINKLEY: You can't really do that. They've just announced another round of audits. They are going to be auditing business associates. Interestingly they sent out a questionnaire to a large group of covered entities and business associates, which is kind of a tip off. If you didn't get the questionnaire, it is unlikely that you're going to get audited within the next audit cycle, which will take place over the next 18 months. That's an interesting approach for the government, because usually they don't want to tell you when they're going to come and check you. I also think it demonstrates a sensitivity to how difficult HIPAA compliance is. If you've gotten one of those questionnaires, your certainty rises dramatically that you're going to be audited. You ought to start preparing for it just as covered entities prepare for joint commission accreditation audits, which are surprise audits that come every three years.
Preparing for Audits
MCGEE: What are the top things that these organizations should be doing if they got that letter?
HINKLEY: Conduct your risk assessment, that should be job number one. Two, revisit training; three, pay attention to what the risk assessment shows, and prioritize the larger more significant issues as opposed to the ones that are less significant. Start working on [those issues], because the auditors and government have said they don't expect everybody to be 100 percent compliant, but they want everybody to be working on it. One of the things that happened a couple of years ago, they did test audits that didn't result in any enforcement actions or penalties, but published the results. I think more than a third of those who were audited didn't even know they had HIPAA obligations. I mean that was a shocking statistic for the government, and so what they are trying to do now is make sure that everybody who has an obligation under HIPAA has it on their radar screen. That is the thing you need to do. HIPAA compliance can't just be a binder on the shelf that you bought 12 years ago. It has to be part of operations. It has to be part of your compliance initiative, and every employee who comes in contact with protected health information needs to know about the program. If questioned, [they] need to explain what their obligations are under the program. And that you can only accomplish through training and re-training.
Biggest Omnibus Mistakes
MCGEE: What are the biggest HIPAA Omnibus-related mistakes that you see BAs and covered entities making?
HINKLEY: Not recognizing who all the business associates are. If [they] are receiving protected health information, you need to understand the capacity in which you received it. A lot of covered entities mistakenly believe that anyone that they deliver protected health information to is going to be their business associate, and a business associate agreement flows over. That is not the case. Business associates are only enterprises that act on behalf of a covered entity, like a billing service or any enterprise that does administrative or technical support. Now another healthcare provider is not automatically the business associate of another covered entity that happens to provide the protected health information, and it's that misunderstanding that we literally encounter that every day.
Signing BA Agreements
MCGEE: What should BAs do when it comes to signing agreements when they are pressured by covered entities?
HINKLEY: We have an approach to them. The statute and the rule prescribes what needs to be in a business associate agreement. What we do is have a checklist that we provide to our business associate clients to go through the agreement that is proposed and determine what section of the regulation applies to the provision [in the agreement]. If you can't find a section of the Omnibus Rule ... then you need to ... ask "why is this provision in the agreement?" It may relate to indemnity, or it may relate to other kinds of things. The one thing we have really seen with a business associate agreement over the years is that it's an opportunity for overloading, and we feel that is just really inappropriate. The business associate agreement ought to be legally compliant, but it ought not to be the catch-all for all kinds of obligations that you wouldn't expect to find there. Our advice is, if indemnification is appropriate, it's appropriate across the board in the relationship between the covered entity and business associate; there shouldn't be a different standard with relation to privacy.
Typically, the indemnity provision in the main service agreement and an indemnification in the BA agreement are different. Sometimes they are at odds with each other, and that just gives rise to potential problems. The bottom line for our business associate clients [is], we advise covered entities [to] have a lean and mean business associate agreement that complies with the rules. If there are other provisions that should govern the inter-relationship between the parties, then those ought to be in the agreement that underlies the business associate relationship, and not in a business associate agreement.