BAAs and Beyond: Meeting the 9-22 HIPAA Deadline

Reprinted blog post from DocuSign. Interview between Jennifer Royer of DocuSign and Dave Schoolcraft.

In under two weeks, Covered Entities and Business Associates are required to complete renewed Business Associate Agreements (BAA) to comply with more stringent HIPAA regulations for BAAs that were in place prior to January 2013. We sat down with Dave Schoolcraft, who leads the healthcare law practice at Ogden Murphy Wallace, to help our healthcare and technology partners navigate HIPAA legislation and complete these BAA renewals on time. As Dave explains, digital workflow solutions transform the task at hand from a daunting ordeal to a manageable process, all while reducing time, money and fear associated with 11th hour deadline blues.

What is the significance of the September 22nd BAA deadline?

Simply put, the BAA invokes business operations where Protected Health Information (PHI) is handed over to an outside vendor. For example, say I am the managing physician in a small medical clinic and I decide to hire a consultant and help us figure out how we can efficiently manage billing and reimbursement. I provide this consultant with a spreadsheet of PHI (protected health information). This act requires a BAA, which protects the PHI and the medical clinic against any liabilities. Without the updated BAA, the medical clinic and the consultant directly violate HIPAA. Even if I have longstanding relationship, I still need to sign an updated agreement.

The process – an additional 6 or 7 different paragraphs — is admittedly an administrative burden as most BAAs span multiple pages. If the agreement only covers what HIPAA requires, the process is fairly straightforward. However, BAAs are heavily negotiated and include indemnification provisions. Therefore, manually executing all updated agreements slows down the process as each existing vendor contract must be signed and completed.

What is the most common inquiry you receive from clients regarding the updated BAA requirements?

With the deadline a blink away, I consistently hear, “Do we really have to update all our BAA contracts?”

The answer is a resounding “yes,” because our digital habits and business environment led to an updated and strengthened HIPAA (let’s call this HIPAA 2.0) back in 2009. With the release of the new HIPAA rules in January 2013, healthcare providers have had ample time to coordinate new BAAs with outside vendors whose services involve PHI.

As we inch closer towards September 22nd, it is important to remember that even if a healthcare provider has a longstanding relationship with a vendor, the new BAA, as part of HIPAA 2.0, offers enhanced language that strengthens risk management against ‘cyber-spillage.’ Specifically, the new HIPAA language requires that the Business Associate comply with the HIPAA Security Rule and provide notice of a breach of unsecured PHI. In short, this is smart business.

Risk management sounds like a great idea. Would you explain what you mean by “smart business?”

Sure, let’s use a common situation as our example. When a healthcare provider engages with an outside vendor – perhaps a SaaS company – that analyzes or works with PHI, there is risk of mishandling or ‘spillage.’ If you handed over 10,000 records of patient data to a digital marketing vendor, you need to both protect the data and yourself from the probability that the marketing vendor will send the PHI to sub-contractors for portions of the scope of work.

The new BAA is a bulwark against unforeseen security breaches: you add armor to the trust you place in vendors and their teams. While you may deem renewing all BAAs a hassle, consider this an opportunity to audit all your vendors and evaluate the risks and value from that relationship.

If you do not follow this approach, then you honestly proceed at your own peril.

What happens if healthcare providers don’t comply with the new BAA requirements and fail to update their BAA contracts on time?

That is actually the second most frequently asked question that we field. Technically a healthcare practice faces statutory penalties for any improperly used or leaked PHI. For example, if a healthcare provider contracts with a medical billing vendor without an updated BAA, they face stiff penalties should there be any improper use of PHI. And with the data breaches in the news recently, you really don’t want to take that risk.

Let’s look closer at a data breach scenario. Say a vendor lost a thumb drive containing a high volume of PHI. Per HIPAA 2.0, it is now the vendor’s responsibility to notify the healthcare provider. A vendor needs to self-confess the data breach, regardless of who is at fault, per the new BAA standards. When the government officials arrive to investigate, they will ask if an updated BAA was in place. Healthcare providers shouldn’t rely on trust with vendors. Mistakes happen. And if a bad one occurs, like the theft of an unencrypted laptop containing thousands of patient records, the healthcare provider and the vendor will be held responsible by the government for both the data breach and the failure to comply with the BAA requirements.

Updating your BAAs is a risk management strategy, and it allows you to add additional protection clauses, such as stipulations about the use of data and operations in the Cloud – an increasing trend for providers and payers. The previous HIPAA requirements for a BAA didn’t place direct liability and responsibility on the vendor for failure to sufficiently secure and protect the patient data. With the proliferation of Cloud vendors and third parties working with healthcare providers, the new BAAs provide a mechanism to not only require the safeguarding of PHI and the reporting of a breach, but the sharing of responsibility when a breach does occur. Renewal of these BAAs also give healthcare providers the opportunity to ensure that there are sufficient indemnification and insurance provisions in place so that if a breach does occur the healthcare provider can expect reimbursement and defense from the responsible party.

How Can DocuSign assist in the process of updating all BAAs?

There is an administrative burden to getting these documents signed. When we talk about redoing all existing BAAs, that’s the classic e-mail/print/sign/scan/fax headache. Multiply one process by the number of vendors. That’s an unreasonable burden, and an expensive one if you think about the time and money that one might spend overnighting documents.

For all businesses handling such an exceptional volume of paperwork, a Digital Transaction Management platform, like DocuSign’s, simplifies the process by automating the retrieval of signatures and storing all documents in a single, secure Cloud-based portal. Furthermore, it is crucial to be able to access compliance documents, like BAAs and provider agreements, within a click of a mouse, should there be an audit. The alternative is hiring lawyers to spend a month in your document basement – we have been there with clients, and that is an expensive, tedious, and stressful process for all parties involved.

Any final words or digital best practices for providers and payers?

It’s important to remember that HIPAA dates all the way back to the mid ‘90s – think about the evolution and revolution that has occurred in terms of digital platforms! There has been a great acceleration – on the clinical data side – in moving from paper to digital. The rules that led to the updated BAAs were passed in conjunction with approximately $20billion in stimulus funds directed towards health information technology. Those funds are being used to incentivize healthcare providers’ digital adoption, as part of the “Meaningful Use” regulations. A large portion of these funds have also been earmarked to enforce the new and more stringent HIPAA regulations that were put in place when the government recognized additional risks posed by digital adoption.

In essence, the government decided to add more teeth to HIPAA enforcement. They have hired additional enforcement agents, and as such, more healthcare providers have inquiries and audits – a striking evolution from the old days of HIPAA 1.0. Offenders now face more serious penalties: now, more than ever, it is crucial to comply with the renewed HIPAA regulations. What was once a slap on the wrist is now quite serious – around the $1 million mark depending on the egregiousness of the incident.

Essentially, you don’t want to be out of HIPAA compliance should there be an incident or a proactive audit – and one of the first questions HIPAA enforcement agents ask is whether you have an updated BAA with your vendors.

If you face an administrative burden or are losing sleep over getting your BAAs completed on time, consider Digital Transaction Management to simplify the process now and moving forward.

Thank you, Dave for explaining the implications of the updated HIPAA legislation and offering tips for beating the BAA deadline.

For more information about the September 22 deadline and Digital Transaction Management contact Elana Zana or Dave Schoolcraft or:

HHS Releases Updates to HIPAA Rules

Today HHS released the long-awaited modifications to the HIPAA privacy, security, enforcement and breach notification rules.  A full copy of the rule can be found here.

In a related press release HHS described the impact of the rule as follows:

“The changes in the final rule making provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured heath information must be reported to HHS.”

If you have questions related to the new HIPAA rules please contact Dave Schoolcraft or Elana Zana.

 

OIG Approves Electronic Interface Arrangement

In a recent advisory opinion, the Office of Inspector General DHHS (“OIG”) approved an arrangement under which free access to an electronic computer interface is provided by a hospital to local physicians.  The opinion provides an important contemporary analog to earlier guidance published by the OIG as part of the preamble to the Federal anti-kickback statute safe harbor regulations (see 56 Fed. Reg. 35952, 35978, July 29, 1991).   At the same time, the OIG reinforced its long-standing position that in order for such arrangements to pass muster under the Federal anti-kickback statute, the parties must validate that the technology is limited to facilitating hospital-physician communications, and that it will not have independent value to the physicians. 

Please contact David Schoolcraft  (dschoolcraft@omwlaw.com or 206.447.7000) you have any questions about the scope and applicability of this OIG advisory opinion.

Health Data Privacy Protections to Increase

As we wait for the HITECH Act updates to HIPAA to be finalized, yet another article signals the administration’s intent to strengthen privacy protections for health data– http://www.nytimes.com/2011/05/31/business/31privacy.html

Impact of “Big Data” in Health Care

A Recent report from McKinsey & Company on the evolution of information technology focuses on health care as a sector to watch: “For instance, if US health care could use big data creatively and effectively to drive efficiency and quality, we estimate that the potential value from data in the sector could be more than $300 billion in value every year, two-thirds of which would be in the form of reducing national health care expenditures by about 8 percent.” Full report at http://www.mckinsey.com/mgi/publications/big_data/index.asp