Too Much of a Good Thing?

Author: Mike Manere, CHC, CHSP, Principal

Let’s face it, running a healthcare business without some type of third-party assistance is difficult. Lawyers, accountants, IT providers, billing services all help to make the day-to-day operations of medical practices possible. But those services and others pose a compliance risk to you as a covered entity when they must handle your patients’ Protected Health Information (PHI).

Enter the Business Associate Agreement (BAA). At its simplest, a Business Associate Agreement (BAA) is a legal contract between a healthcare business and an individual or organization that will receive access to, transmit, or store Protected Health Information (PHI) as part of its services rendered. The BAA establishes the assurances that the business associate has the policies and procedures in place to keep that information secure from breach.

It sounds pretty straight forward but we have found that there can be hidden risks. When a company establishes a BAA with a service, they assume the responsibility of making sure the BA is buttoned up on their policies and procedures regarding PHI.

And too many BAAs can be too much of a good thing. Having a lot of BAAs creates a pyramid of risk since a breach within the business associate’s business creates contagion upstream to the healthcare practice and vice versa. We have seen many cases where BAs were established with services that don’t really require that level of security.

Practices who have BAAs in place with services like couriers, ISPs, or office cleaning and maintenance companies are actually creating additional risks for themselves since those companies are unlikely to have the policies and procedures to qualify under HIPAA regulatory standards. But the BAA indicates that the practice is monitoring that service for compliance. In those cases, a simple confidentiality Agreement will usually suffice without the added burden of monitoring to BAA standards.

To help our clients maintain the right balance with their BAAs we recommend an annual Security Risk Assessment (SRA). An SRA looks for the proper documentation to show that business associates can adequately protect PHI and are compliant with HIPAA regulations. In addition, an annual SRA reveals services that might be better suited for a Confidentiality Agreement.

When done correctly, BAAs allow healthcare practices get the services they need to do business while maintaining the highest compliance standards and security.