Grant Elliott, CEO and chairman of Ostendio, a collaborative integrative risk-management SaaS platform, presented the webinar “HIPAA: A Timely Overview & Update” and a recording can be viewed here. Grant returned to answer many commonly asked questions from the webinar.

My Covered Entity customer is asking me to sign a BAA (Business Associate Agreement) even though I do not have access to PHI.  What should I do?

Whether you are a Business Associate or not is defined by what you do, not by any contract you sign.  If you are not handling PHI then you are not a Business Associate and HIPAA does not apply.  But just remember, if you handle any PHI at all on behalf of a Covered Entity, even unintentionally or accidently, then HIPAA will apply and so will the HIPAA related terms of the BAA.  This is the case regardless of whether you have signed a BAA or not.   

It is also critically important to remember that a BAA is a legal document in its own right, and any additional terms you sign as part of that agreement, whether HIPAA applies or not,  may be legally binding.  I see many BAAs that overreach in terms of adding audit rights, breach notifications rights and other rights beyond those required by HIPAA.  Often a BAA will include a right to cancel and add language which stipulates the BAA takes precedence over any other part of the overall agreement.  Failure to adhere to any part of this addendum, including any non-HIPAA elements, could provide your customer with a back door mechanism to cancel your contract.  

So the short answer is: understand what PHI you will have access to and read the BAA carefully for additional terms before signing.  If you are not sure, I would recommend speaking to a HIPAA lawyer. 

How do I know if I have done enough to be HIPAA compliant?

The tough answer is that you don’t know because unfortunately there is no formal adjudication authority that can provide you with a certificate of compliance to HIPAA.  The Office of Civil Rights (OCR), a department within Health and Human Services (HHS), regulates HIPAA but they do not provide a formal certification.  Many audit firms will offer to conduct a HIPAA audit or assessment but it is important to bear in mind that the result of this audit or assessment is an opinion only, as they are not authorized to certify you as compliant.  However, you can take steps to ensure your organization is operating in line with applicable HIPAA regulations and conducting a HIPAA risk assessment is a requirement of HIPAA.  OCR has shown that they consider not conducting an appropriate HIPAA Risk Assessment to be an egregious violation.  So the best course of action is to work with an organization that understands HIPAA,  to conduct a HIPAA Risk Assessment and then work to ensure you remediate any risks identified.  While you can never officially claim to be “HIPAA Compliant” you can be confident in knowing you are taking all reasonable and appropriate steps to operate in line with HIPAA regulations. 

Do I need to be HIPAA compliant if I don’t have access to PHI?

The short answer is no you don’t need to be HIPAA compliant if you don’t have access to PHI. However, as discussed above in my answer to the first question, make sure you are not accessing PHI unintentionally.  There are many reasons companies should be looking to invest in operating an effective security program to ensure other data is protected e.g. PII (Personally Identifiable Information).

How responsible am I for my vendors compliance under HIPAA?

OCR has stopped short at holding organizations directly responsible for a vendor’s breach of PHI, so long as the organization has taken reasonable steps to ensure their vendor has executed a BAA in line with HIPAA.  However, while there may not be any regulatory impact on you for your vendors behavior, clearly there is likely to be a significant impact to your company’s reputation following a breach, so there remains a strong business imperative to ensure your vendors are acting responsibly and to verify they have an appropriate security program in place. 

Grant Elliott is the CEO and co-founder of Ostendio. The Ostendio MyVCM platform is an industry leading, collaborative Integrated Risk Management SaaS platform. Ostendio works with hundreds of companies and thousands of users to build security programs that are audit ready for complex audits such as SOC 2, HITRUST, FedRAMP and HIPAA.  He is a thought-leader in enterprise cybersecurity and speaks regularly about how organizations can implement effective cybersecurity and Risk Management programs.  Elliott is the former COO and CISO of Voxiva (acquired by WellTok), an integrated messaging and patient engagement platform and former business executive at AT&T. He has over 15 years of experience developing and managing cybersecurity programs and supporting regulatory audits.  Elliott is also an Adjunct Professor at the Pratt Institute, New York, where he teaches management theory and leadership.

Be sure to view a recording of this webinar on YouTube. Take a look at our book: HIPAA Privacy and Security, and our online compliance training courses such as What is HIPAA?, and HIPAA Business Associate Agreements Under HITECH. And check out Grant’s other recordings and blogs with us Q&A:  Basics of GDPR Compliance in the Healthcare Setting, Concerned about GDPR compliance?, and audio versions of his webinars found here.