No health system IT department can do it all. This means providers will inevitably turn to third-party technology companies for things like analytic services, cloud storage and secure mobile messaging. It also means organizations will have to navigate the tricky world of business associate agreements. Presenters at the Health Privacy and Security Forum in Boston said covered entities must be cautious when signing such an agreement.
The business associate agreement (BAA) is required under the Health Insurance Portability and Accountability Act (HIPAA). All covered entities must sign contracts with their business partners outlining steps the partner will take to protect patient health information (PHI).
Accountability in BAAs became murky, however, with the passage of the HITECH Act in 2009. Previously, all responsibility for data breaches originating from a business associate fell on the covered entity. The HITECH Act changed the law to make business associates liable for their own breaches.
The Department of Health and Human Services has yet to release the HIPAA omnibus rule, which will update the act's provisions to reflect the changes in the HITECH Act that affect the status of business associates and detail enforcement. Until the final rule is released, it will remain unclear how HHS's Office for Civil Rights (OCR) will deal with business associates after their violations are found to have caused a breach.
With all this in play, covered entities have all the more reason to establish clear contracts with their business associates. Leon Rodriguez, OCR director, said enforcement of HIPAA violations has increased in the last couple years and will continue in this direction throughout 2013. "It's now understood that enforcement is a fact of life, and that is having a beneficial effect on compliance," he said. Providers that experience a breach could be on the hook for substantial monetary penalties, so they must know what to expect from their business associates.
But it's not always easy to know what kind of security protocols business associates have in place. Speakers at the privacy forum said associates often don't share technical details with clients because it could make proprietary information available to competitors. For example, Sharon Finney, corporate data security officer at Adventist Health System, said she has had difficulty getting mobile device companies to explain the technical protocols their software uses to connect to hospitals' networks. Without this information, it can be difficult to trust the security of the providers, she said.
Leon Rodriguezdirector, Office for Civil Rights
BAAs should also spell out exactly what kind of infrastructure Software as a Service (SaaS) vendors use. Darren Lacey, chief information security officer and director of IT compliance at Johns Hopkins University and Johns Hopkins Medicine, said some cloud providers currently host their software on Amazon or Rackspace. These commercial hosting options are fine for general application development, but they may not meet the security requirements of HIPAA. "You have to be able to know what the infrastructure is for SaaS providers and assess whether its security is adequate," he said.
Ultimately, determining which business partners should be made to sign BAAs could be one of covered entities' most difficult decisions. While the determination might seem straightforward, experience has proved otherwise.
Adam Greene, partner at Davis Wright Tremaine LLP, said some SaaS providers have taken the position that they are actually more of an information conduit. These groups argue their services should not be regulated, in much the same way Internet service providers and mail carriers that transfer information and documents for covered entities should not be held to BAAs. This argument limits their liability in the event of a breach.
"We've seen in health care, cloud providers take different approaches here," Greene said. "Some have recognized that they're a business associate, others point to potential ambiguity issues, like if there is a conduit exception to the definition of a business associate."
Greene said there may be different considerations to make, based on the specific type of service a cloud provider offers. Vendors providing deeper analytic services that make use of PHI are likely to be considered business associates, but it's less clear in the case of cloud storage services.
Given the ambiguity involved, covered entities must decide for themselves whether they feel it is appropriate to work with a business partner and whether that partner should sign a BAA, several presenters said. If a company is unwilling to make relevant security information available or sign a BAA, it may be in the best interest of the hospital to find a different technology provider.