One of the most significant provisions of the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule, issued last December, makes healthcare business associates directly liable for their own HIPAA Privacy Rule and Security Rule violations. The implications of this change are being seen in providers' negotiations of business associate agreements.
Business associate (BA) liability for HIPAA violations was limited prior to the release of the omnibus rule. Providers could negotiate indemnification clauses into contracts with technology vendors that would place responsibility for violations on the vendor. But vendors were typically reluctant to accept these terms, and legally there was nothing providers could do to make vendors accept this kind of accountability.
Now that vendors are responsible for their own HIPAA violations, it has changed the whole process of negotiating business associate agreements (BAAs), legal contracts that define the terms under which a vendor will provide services to a healthcare organization.
There's no question that there appears to be a whole bunch of issues with regard to business associates that perform a lot of different tasks and not being as aware of what they're handling.
CEO, Health Information Trust Alliance
Sharon Finney, corporate data security officer at Adventist Health System, said the regulation has made the negotiation process less adversarial. It's now much clearer what kind of responsibility BAs have for their own HIPAA violations. Providers don't have to try to negotiate this into agreements. The clarity is important because Finney said the services offered by technology vendors often play an important role in the delivery of care.
For the most part, vendors have accepted the new regulations and their new responsibilities, Finney said. However, it is still important for providers to do due diligence on any company they are thinking of contracting with. Finney said some may try to evade being designated as a BA. Even vendors who recognize and accept their status as a BA might have a weak security position, opening themselves up for breaches. While legal responsibility for this breach is now with the vendor, providers can still suffer reputational harm from a BA data breach. Patients may blame their healthcare provider rather than the contractor.
Assessing business associate security
Providers should ask vendors to complete a security assessment before signing a business associate agreement. Just because a company wants to do business with a healthcare organization doesn't mean they are prepared to meet all the new requirements of the HIPAA omnibus.
Finney said Adventist has a nine-page questionnaire that asks BAs about where and how they store personal health information and what kind of security controls are applied to data.
Dan Nutkis is the CEO of the Health Information Trust Alliance, an organization that curates a standardized business associate security assessment. He said large healthcare organizations have been using this kind of assessment for most of their vendors for a while, but smaller providers were slow to adopt it. The alliance's security assessment is used by organizations such as CVS Caremark and Health Care Services Corp.
With the flood of technology companies entering the healthcare space, it is important for providers to know that their vendors are prepared to handle the unique regulatory requirements of the industry.
"There's no question that there appears to be a whole bunch of issues with regard to business associates that perform a lot of different tasks and not being as aware of what they're handling," Nutkis said. For example, companies that provide data analytics services for a number of industries may not be aware that the data of their healthcare clients is particularly sensitive.
While the BA has ultimate financial responsibility for fines stemming from their own HIPAA violations, providers still need to notify patients of data breaches.
Getting the contract in your terms
Some vendors may try to bring a pre-written business associate agreement to their healthcare clients. While there can be valid reasons for this, providers may still want the contract to be based on their terms.
For example, Microsoft Corp. recently rewrote its standard BAA for its Office 365, Dynamics CRM and Azure Core Services following the release of the HIPAA omnibus rule. Hemant Pathak, assistant general counsel at Microsoft, said it is necessary to have this kind of standardized BAA, because applications such as Office 365 are meant to scale to the needs of both small private practices and large health systems. For the technology to work, the company needs to have a standardized legal relationship with clients.
"Maintaining a uniform, rigid, standard operating procedure as to how that service is delivered is really the only way we can deliver that service to scale," he said.
But Adventist's Finney said she is increasingly seeing vendors bringing pre-written contracts and feels it is a matter of convenience for the vendors. If a vendor gets its client to sign a pre-written contract, the vendor's legal team doesn't have to spend time negotiating or reviewing proposed changes. Finney said she will try to get vendors to sign the health system's contracts for the same reason.
"Whether we write it on their paper or write it on our paper, it's just a matter of how long it takes us to get through the contract," she said. "But at the end of the day, we're going to negotiate the terms with them carefully."
Ultimately, it should all come back to the regulations, Finney said. Provider-vendor relationships can be successful if both parties agree to accept responsibility for their roles as dictated by the HIPAA rules.