A Business Associate Agreement? Tell Me More!

1st Talk Compliance features guest Rachel V. Rose, JD, MBA, principal with Rachel V. Rose – Attorney at Law, P.L.L.C., Houston, TX, on the topic of “A Business Associate Agreement? Tell Me More!” Rachel joins our host Catherine Short to discuss how Business Associate Agreements (BAA) are not new; however, some individuals are new to healthcare and others never understood what a BAA is exactly. A BAA is a contract that fundamentally gives assurances that the parties are complying with the Security Rule and Privacy Rule, setting parameters in the event of a reportable security incident or a breach, and states how the sensitive data will be returned and destroyed at the end of the relationship. Some of the items in a BAA are required, while others are optional but common. This presentation not only seeks to dispel myths about why certain language is prevalent in nearly all BAAs, but also provides insight into other provisions, and items for consideration, in light of the 21st Century Cures Act.

Catherine Short:  0:01

Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.

On today’s episode, we are speaking with Rachel V Rose, JD MBA principal with Rachel V. Rose Attorney at Law PLLC Houston, Texas on the topic of appreciating the content of a business associate agreement. Business Associate Agreements a BAA is a contract that fundamentally gives assurances that the parties are complying with the Security Rule and Privacy Rule, setting parameters in the event of a reportable security incident or a breach and states held the sensitive data will be returned and destroyed at the end of the relationship. Some of the items in the BAA are required, while others are optional, but common. This presentation not only seeks to dispel myths about why certain language is prevalent in nearly all BAAs, but also provides insight into other provisions and items for consideration in light of the 21st Century Cures Act.

Before we begin, I would like to mention at First Healthcare Compliance, we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our compliance Super Ninja recognition. For this episode, we’re spotlighting Super Ninja Wendy Mulkey, Business Development Marketing at Emerald Coast Neurology. Wendy says “I am a lifelong learner. Working at Emerald Coast Neurology has allowed me to continue to grow and learn. I feel my contributions are making a positive impact for the staff and patients. At the end of the day, I just want to make a difference. I feel like I’m accomplishing that at Emerald Coast.” Congratulations, Wendy, our team is honored to have the privilege of working with you.

Catherine Short

So hello, Rachel, thank you so much for joining me today on First Talk Compliance to speak about BAAs.

 

Rachel V Rose

Thank you Catherine. It’s always my pleasure to collaborate with you and First Healthcare Compliance in order to hopefully provide meaningful content to the listeners.

 

Catherine Short

Thank you. So how about some background? First, can you give us an overview of exactly what a BAA or Business Associate Agreement is and who it involves?

 

Rachel V Rose

Absolutely. Not surprisingly, that is a very detailed question. As your introduction mentioned, a business associate agreement, which is referred to in 45 CFR 160.504(e) as a business associate contract is just that. It’s an agreement between two parties to do three primary things. First, ensure that both parties are utilizing the appropriate technical, administrative and physical safeguards in order to ensure that the confidentiality, integrity and availability of the protected health information remains intact. Additionally, it relates to the Privacy Rule, the entire security role and the breach notification rules being adhered to. The second element that always jumps out at me is the notification to the other party and then potentially, to HHS, patients and the media in breaches of 500 or more individuals, and making sure that the parties designate the timeline that party A, the typically the party the breach occurred on, tells party B about this and then what transpires after that. The last main requirement or part of a business associate agreement is what to do when the relationship between the parties terminates. Now that might seem simple. Oh, I just need to either return and or destroy the data in a manner that complies with the HIPAA Security Rule and preferably with NIST. That’s part of it. But as we all know, there are situations where we can’t just return or destroy information. Some of those may be obligations of a legal hold or a government investigation or a lawsuit that might be in place. Under federal HIPAA, it applies to covered entities, which are healthcare providers, healthcare claims clearing houses and insurance companies and their business associates, and then a subcontractor of that business associate.

 

Catherine Short

Okay. What is a primary purpose or purposes of a BAA?

 

Rachel V Rose

So as I mentioned, there are typically three main areas. First, you need to define who the parties are at the very top, and which one assumes what role whether it’s a covered entity and business associate or business associate and subcontractor. All of that is exceptionally important. So just something to be conscientious about there. Then you delve into the three overarching areas or purposes behind the Business Associate Agreement. A) To ascertain that both parties each had been given reasonable assurances that the technical, administrative and Physical Safeguards as well as the privacy rule, security rule and Breach Notification Rule compliance and requirements are being met. Another item that relates to that now is the 21st Century Cures Act and the ability to give patients their medical records in formats such as smartphone apps that weren’t necessarily available before. Along with that related to information blocking are situations where a provider or a business associate may say, the general rule is that we have to provide this but this is not an app that is secure, or that we’re familiar with, and for the safety of the entire IT infrastructure, we’re not going to provide that. So it’s important now to reference state laws and other relevant laws such as a 21st Century Cures Act. The next main area, it has to do with notification to the other party of a reportable cybersecurity incident, typically known as a breach in accordance with the Breach Notification Rule. There are really two steps to that. First, you want to have a timeframe set out between the parties as to when party A if they’re the breaching party has to notify party B that there has been a breach. That’s important because their IT department needs to take appropriate steps in order to safeguard certain things or go to plan B or to go to backups. So it’s really mutual in nature along those lines. The second part of a reportable breach would then be under the Breach Notification Rule, to report to HHS, to report to the patients, and to report to the media if the breach itself affects 500 individuals or more.

 

Catherine Short

Okay, great. Is there any party or person or entity that a facility works with that it’s perhaps safe not to have a BAA with?

 

Rachel V Rose

So that’s a great question, Catherine. First, I will go to what’s known as the conduit exception. That’s something that was highlighted in the Final Omnibus Rule, which is published at 78 Federal Register 5566 on January 25, of 2013. The conduit exception expressly states that there are certain entities and they are very limited, but they are for example, your internet provider would be one, your UPS carrier, whether it’s the United States Postal Service, DHL, UPS, FedEx any one of those types of carriers, so long as none of their entities did anything other than deliver the package, right? They are just transporting data from point A to point B, and that’s it.

 

So having said that, and by way of contrast, I think it’s important to note that data centers are considered Business Associates and do not fall within that exception. Another entity that is considered a Business Associate is a cloud computing provider. So whether you utilize AWS or Microsoft Azure, for example, those are still business associates, and that’s why when you go onto their website, you will see their Business Associate Agreements, as well as some commentary on HIPAA and other data privacy laws. Another one that is often a question, so to speak, is is a lawyer a business associate? The answer there is it depends. Even in my own practice, there are times when I contract with a covered entity. If I’m just reviewing physician contracts, I’m not delving into protected health information, I’m not looking at financials, I’m not looking at anything that would tie any individual back to the past, present or future diagnosis, treatment or financial information associated with any of those items. However, the minute they asked me to look at something that contains PHI, that is absolutely a covered entity, business associate situation, which would require a Business Associate Agreement.

 

Catherine Short

Okay, so example, the custodial company perhaps would not need a business associate, but medical waste hauling would.

 

Rachel V Rose

The cleaning entities are very interesting, because if you think about it, they have access to everything, and typically when no one’s there to supervise them. So hopefully, the organization has all safeguards in place that when everyone goes home, there is no information that’s left on a computer or computers still not on they don’t have their past codes in their top drawer on a sticky note, right? And they have those bins that are locked, so that the information goes to Iron Mountain or another vendor to be shredded, and people can’t access that. I think there’s a distinction too between whether, for example, in a hospital, if the Environmental Services team is hired by the hospital as individual employees, then they are part of the workforce and they should undergo HIPAA training as part of the workforce, but they’re not an independent contractor. Does that make sense?

 

Catherine Short

Right. Yes, I was speaking of perhaps like an outside contract cleaning company or environmental company as opposed to employees of the hospital

 

Rachel V Rose

No, I think Catherine on that one there’s just so much potential liability there, they could let someone in the back door, right, because they have access and that’s something that I do advise people, maybe even to have a modified agreement, if not with all the bells and whistles, but just to ensure that they understand that if they steal something or if there’s an issue, they need to know what to do and what their potential liability is.

 

Catherine Short: 

So if you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Rachel V. Rose, JD, MBA, principal with Rachel V. Rose – Attorney at Law, P.L.L.C., Houston, TX, on the topic of “A Business Associate Agreement? Tell Me More!” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also find us on all other social media.

Okay, can you explain reasonable assurances in relation to business associate agreements and maybe tell us a little bit more what reasonable assurances are?

 

Rachel V Rose

Sure, absolutely. Basically, it comes up in a lot of different areas of law. Reasonable assurances in HIPAA would be the following because the first part of the Business Associate Agreement should have both parties, giving assurances that they meet the technical, administrative and physical safeguards in order to ensure the confidentiality, integrity and availability of the data. What would give someone peace of mind is the way I like to think of it and also give them something legally, that they could say, you know what, we know that we do not have a right to go in and inspect everything. So what I do is I have my clients get a signature on an ad test station. The purpose behind it, it’s very short, it’s about half a page in length and all it says is that these reasonable assurances are being provided in order to give peace of mind that the party is adhering to the requirements of HIPAA in the High Tech Act. If people can answer these five questions in earnest, you should walk away with a good feeling that they’re doing everything that needs to be done. The first question is, does the party undergo an annual risk analysis that is comprehensive? Second, do they train their workforce annually? Third is PHI insensitive PII encrypted both at rest and in transit? Fourth, are Business Associate Agreements in place, and are they recorded? And lastly, are policies and procedures at least reviewed annually, and are they comprehensive? So with that, that is A) how I define and think of a reasonable assurance? And secondly, how I advise my clients to protect themselves and then lastly, the types of reasonable assurances are those five that I hone in on.

 

Catherine Short

Okay, great. What are indemnification provisions and what language should be used in indemnification provisions?

 

Rachel V Rose   17:30

That’s a loaded question. I’m going to point kind of in jest, but kind of not in jest, and suggest that people listen to our webinar on indemnification. But in all seriousness, it’s typically thought of as a contractual obligation of one party to compensate the loss incurred to the other party, due to certain acts of the indemnitor or any other party. The duty to indemnify is usually but not always, coexisting with the contractual duty to hold harmless or safe, harmless. So let’s step back for a moment. First, before you draft an indemnification provision, you want to make sure that you have an appreciation of a variety of different state laws, whether it is derived from common law, or whether it is like California set forth in a statute. Typically, the way a lot of indemnification provisions are written are to indemnify defend and hold harmless. If you don’t have that exact language, depending on the jurisdiction that you’re in, you may or may not have to defend someone and pay for those costs. It’s so specific to the facts and circumstances in general that I’m trepidatious just to throw out any language surrounding that, but I will say that it’s important to appreciate the significance of an indemnification provision. Some indemnification provisions I read and I’m like, Oh, my gosh, I would not advise anyone to sign that it’s because it’s so one sided, that only one party is held harmless. And in the event of a breach, regardless of whether or not for example, a Business Associate cause the breach some of these indemnification provisions, read that the Business Associate is responsible for all of the costs. So that should be one of the provisions that any person reads very, very carefully because it could A) contradict with your other contracts that you have in place, B) you can be shouldering all of the liability, even if you’re not responsible for the breach or the bad act. So when I write them, I typically make them mutual that if one’s being indemnified, the other one’s going to indemnify if they’re at fault. So it’s mutual defend is the key term that I discuss with the party. And typically, the party will go back to the other entity if they are in a negotiation. and oftentimes, they’ll say, we’ll just agree to be responsible for our own attorney’s fees on this. So that’s what will happen there. And then the last part of that, that something I’ve been doing for a few years now is to really carve out and there there are two schools of thought. When I carve out specific indemnification provisions related to a breach, it’s the breaching party that has the obligation to pay for the notification to government entities, to the media and to the individual patients. But that’s where the liability end so there’s no payment of attorneys fees, there’s no payment of ransomware. There’s no paying for a deductible on an insurance policy, or anything like that. What my clients and actually when I’ve been on the phone with opposing parties as well, what they’ve said is that we like this, because we know upfront what we’re responsible for, and it’s limited to this, and it’s balanced for both of us. So there’s no cookie cutter way to draft an indemnification provision, you just have to literally take it word by word with the parties that you’re dealing with.

 

 

Catherine Short

Okay, I’ve got another question that has some defining in it, and then some explanation. What is a material breach, for those that don’t know? And can you tell us what MSA stands for? And then how can a material breach of the MSA affect the MSA or other contracts?

 

Rachel V Rose

MSA is typically your Master Service Agreement. That’s typically what I have seen, but obviously, it’s your main contract. If you are contracting with an IT provider, typically your MSA is your main contract. If you think about how a breach is defined in HIPAA section 164.402. Basically, it’s “the acquisition, access use or disclosure of protected health information in a manner that is not permitted, which compromises the security or privacy of the protected health information.” So basically, when you think of what a material breach is, one can really think of that, as was the incident one that triggered the following A) requires us to do a root cause analysis to determine whether or not it’s a reportable breach.  And then if it is a reportable breach, then how does that impact the underlying contracts? So it’s a little misleading Catherine and this is a great question for this reason. If we’re thinking about ransomware, or what we think about in cybersecurity, a breach means that definition that I just read in 164.402, but that has to do with a breach of the information. What flows from that breach of the information can be a material breach of either the Business Associate Agreement and or the Master Service Agreement, depending on how things are worded.

 

Catherine Short

Okay, so what if an entity doesn’t fit into one of the HIPAA buckets of covered entities, business associates and or subcontractors. Do they still have potential liability?

 

Rachel V Rose

There is potential liability. The three ways that potential liability may arise are A) under state law. For example, I mentioned Texas that has the definition of a covered entity, which is any person who creates, receives, maintains, or transmits PHI. So while that does include the three federal HIPAA buckets, it actually goes beyond that. That’s one way. Another way is through the Federal Trade Commission. I know in the Related webinar, I delved into that in some detail but basically, the Federal Trade Commission has its own Breach Notification Rule that says if you’re not obligated under HIPAA, you may still have an obligation to report a breach of PHI to consumers from their pursuant to the Federal Trade Commission Act Title Five, courts have held that the Federal Trade Commission does in fact have enforcement authority in that situation. So that’s where you could get another government enforcement action.

The last way would be through either a class action lawsuit or a common law negligence lawsuit for a HIPAA breach. So those are really the three ways that someone can be held liable.

 

Catherine Short

Okay. Is a BAA a binding contract?

 

Rachel V Rose

It is a binding contract and it is binding for a multitude of reasons, but it is per the regulations considered a contract and if you are creating, receiving, maintaining or transmitting protected health information between the covered entity, business associate and sub-contractor, you do have an obligation to enter into a contract.

 

Catherine Short

Okay. Well, thank you so much, Rachel. I think we’re just about out of time. Did you have any other any other thoughts that you wanted to share with us?

 

Rachel V Rose

Just be aware that BAAs are not cookie cutter. However, there are certain terms and certain provisions, which you’ll see over and over again and that’s because they’re required by the statute and then recommended by HHS on their website.

 

Catherine Short

I really wanted to thank you, Rachel, for coming on to 1st Talk Compliance on our show today and discussing this important subject. So, thank you so much.

 

Rachel V Rose

You’re welcome, Catherine, and as always, thank you for having me.

 

Catherine Short 26:21

Me too.  Thank you so much and thanks to our audience as well for tuning in today to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and then your voice to the conversation on Twitter @1sthcc or #1sttalkcompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.