This is part two of a Q&A with Micky Tripathi, president and CEO of the Massachusetts eHealth Collaborative. Here he discusses how an organization can maintain compliance with the HIPAA omnibus rule by monitoring its business associates. Read the first part here.
Any advice on how to keep an eye on business associates [BAs] for the sake of omnibus rule compliance? Each hospital or health information exchange [HIE] might have one compliance officer and thousands of BAs. How do you prove they're all destroying PHI [personal health information] properly when they're done with it, encrypting data at rest, and so forth?
Micky Tripathi: It's really hard. At some point, you can't have full diligence over the confined details of what each and every BA is doing, and as you pointed out, each hospital has a ton of BAs. A lot of large provider organizations standardize their approach.
First off, they need to recognize that this is a significant issue and standardize the diligence that you're going to apply across all of your BAs. Then you have a centralized place where you document who all of your BAs are, and a checklist of all the things that you'll go through in your diligence to make sure they are covering their bases to your satisfaction.
[You should also document] the different categories, like encryption at rest, having your own internal policies in place, their understanding of what rules and laws are. Certainly as a part of the diligence of bringing on any BA, if they themselves are unclear on the rules and regulations, you might want to think twice about whether you want to have them as a vendor because they're not going to know how to respond. And it could mean that they might inadvertently not have the appropriate safeguards in place in their own processes and technologies.
Revisiting and refreshing that with them periodically is also important, as there is great exposure with a lot of organizations who have long-term relationships with their BAs. They may have signed a BA two, three or 40 years ago and think they're completely covered, but it would be worthwhile to go through a staggered diligence process where perhaps every month you do some sort of audit with some subset of BAs and run through the checklist to make sure you have a good comfort level that they've got things covered. I don't know if there is a magic formula to it, except for centralized tracking of it, formalization of the things that you think are important and having some type of ongoing process to make sure you are refreshing whatever diligence you do so that none of that gets stale.
Have you signed many updated business associate agreements [BAAs] yet with your HIE partner hospitals? Mainly, how are they different from one another, and do they have anything 'scary' in them, such a liability clause, etc., which you hadn't seen before? What has changed in these BAAs since the omnibus rule came out?
Tripathi: We haven't seen that yet. We're not a terribly litigious organization -- we're a nonprofit very focused on the community health mission; and as witnessed by the blog and our publicly trying to offer the industry lessons learned from our breach experience, we tend to sign things that say we should be held accountable for the areas where we make mistakes. It's pretty rare for us to look to the BA and say that it's unreasonable for them to expect that from us, it's just not part of the way we operate. It may be because of that because I haven't really seen any difference whatsoever thus far.
Certainly, organizations who are in the mode of not wanting to be considered a BA and who will now be a BA, for them there is now a legal due diligence process to go through. If you are a cloud vendor who before didn't technically fall under this, or if you're a contractor to a BA and it wasn't clear if you really fell under this, or if you were an HIE [facility] and chose not to be a BA -- then yes, you'll see something different and have to sign one now, where that might make you feel you are taking on more liability than you had before. But it seems to me if you were a responsible steward of the data, you should have been willing to take on those responsibilities to begin with.
Can you explain what the Last Mile Program is and how providers can get involved?
Tripathi: The Last Mile Program is run by the Massachusetts eHealth Institute, and we're a contractor of them to support the overall mission to drive adoption of statewide HIE infrastructure and services. One experience that every HIE has confronted is if they build it, they will come, and then you find out they don't come. We've done a couple of things in Massachusetts to try to make sure that doesn't happen, though. One is that we're not building huge, ambitious infrastructure without having a good sense of what the market wants. We're building incrementally and starting with a simple service in phase one and building up in phase two, etc., so we're not building in advance of where the market is.
The last thing that makes quick and clean implementation possible is that there are a lot of different ways to accomplish HIE now.
president and CEO, Massachusetts eHealth Collaborative
But on the adoption side, and that's where the Last Mile Program comes in, we've said let's use some of these dollars to essentially create an REC [regional extension center] for HIE. Basically thinking that, since we have one for EHR adoption, why wouldn't we have one for HIE adoption? The idea is to identify prospective customers of the HIE, try to educate them through proactive outreach about what services are offered, what the pricing is, what use cases we think it supports, and try to ease the path to adoption.
None of this is plug-and-play, so there is almost always a gap between where their EHR vendor and the version of their software is and where the HIE requirement is in terms of integration, so some work is needed to close that gap. That's where the Last Mile Program is focused -- on both the education, and also helping providers get on as quickly as possible and with as little fuss as possible.
We're doing this a few ways, one being customer relations. Sales and marketing and all of the tools and levers any software organization would use there. The second and third are a little unique -- one is grant opportunities for EHR vendors and provider organizations to encourage them through subsidization of some of the upfront costs to connect with the HIE.
For providers, there will be 25 to 30 provider organizations who will be given grants of up to $75,000 each to pay for the one-time cost that they would incur by connecting to the Massachusetts HIway. This could be interfaces to their vendors, or workflow changes within their organization -- those types of costs that are typically a real barrier to entry, particularly for small organizations and small practices, or [for] the type of organizations that didn't qualify for meaningful use, such as long-term care, behavioral health and home health. These grants can provide some much-needed upfront dollars that would otherwise be a barrier to their participating in the statewide HIE.
There's a parallel program for EHR vendors that will help them pay for the one-time development costs for integration with the statewide HIE, and in return, the Last Mile Program would pay some of the upfront costs where they would in turn provide the interface at a lower cost to all of their customers in Massachusetts.
What do you see as the main barriers to HIE development, and how can they be overcome?
Tripathi: Certainly cost is one part of it. Every state and every HIE has their own approach to how they are doing this. Massachusetts and New Hampshire are both very involved in getting costs down as low as possible. Let's use the opportunity that was provided by the federal government to provide seed capital to get the upfront fixed costs paid for by the HIE, and then figure out what's the lowest operating cost to support the infrastructure and services that were paid for by that capital, and then charge participants on some type of fair-share model. The network is only as valuable as those who are participating.
The other thing that is a little bit more challenging is trying to get the implementation effort down as low and as clean as possible. The technologies are not that mature, and the interoperability standards are still not well defined enough for it to be even close to plug-and-play. And frankly, you have a bunch of EHR vendors, HIE vendors, etc., who sometimes have business models that conflict with the business models of HIE organizations. And I'm not saying that's necessarily a bad thing -- we live in a market economy and all companies need to rationally pursue what they see as their fiduciary responsibility for what their shareholders and owners expect of them. So, I'm not saying it's a bad thing, but it's a fact of life, and not every EHR vendor is fully motivated to connect with HIEs the way the HIE might want them to. Even leaving aside the different motivations, the industry is still very fragmented, which is also a challenge.
The last thing that makes quick and clean implementation possible is that there are a lot of different ways to accomplish HIE now. Most organizations I know face a number of different ways to do this, and that can be paralyzing. If you're an EHR vendor like Epic [Systems Corp.] or Cerner [Corp.] for example, each of those vendors offers an HIE solution. And then SureScripts, the national e-prescribing network, also offers an HIE solution now for document exchange and other types of direct based exchange, and then you might have your statewide HIE, like Massachusetts, and then you may be part of an ACO [accountable care organization] that is also launching a private HIE. So, you've got a number of different ways of getting HIE services, and it's really hard to sort through -- in this nascent, emerging world -- which one makes sense for you. Each one of them has both a financial and opportunity cost, and you're trying to figure out where to focus your resources.
So, price is always a barrier, but it may be that the latter seems to be the bigger challenge in the next year or two. There are a lot of different ways to accomplish this in the market, so the decision-making process might take a while for any organization to sort out.
This was first published in May 2013