New HIPAA rule could change BAA talks
With an onus now on vendors to keep hosted data secure, that can make business associate agreements trickier than ever to negotiate as hospitals try to protect patient information and IT companies try to shield themselves from risk. Four providers offer tips from the trenches on getting the language right.
One of the biggest roadblocks to wider adoption of technologies such as cloud hosting is the fact that CIOs and chief privacy officers look askance at its security protections. They often just don't trust outsourced hosting to keep personal health information safe.
But with the HIPAA Omnibus Rule's new regulations with regard to the responsibilities of business associates – leaving them on the hook legally in the event of a data breach – it could be that providers may be more emboldened to embrace the cloud and enjoy the benefits it has to offer.
"For a long time, the cloud was untrusted on multiple levels -- people weren’t familiar with it, they were afraid of the security aspect and, simply stated, it just wasn’t the safe career choice -- in other words, nobody got fired for not choosing the cloud in the past," John Haughton, MD, chief medical information officer of cloud hosting company Covisint, told Healthcare IT News in September.
"That’s all changing dramatically," he said. One big factor has been a shifting in burdens brought about by the new HIPAA rule.
As Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, told Healthcare IT News, just as the enforcement of the HIPAA Omnibus rule went into effect, "We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations."
Among the new changes, business associates are now responsible for their subcontractors, and the must comply with security and breach notification rules. Healthcare providers are liable for the actions of BAs who are agents, but not for those that are independent contractors.
That's good news, from a technology standpoint, said Haughton. "In order for the cloud to gain the trust of providers and payers, cloud vendors needed to take on greater responsibility to protect patient privacy."
At recent Healthcare IT News/HIMSS Media events in New York and Boston, privacy officers and CIOs agreed that the shift of responsibilities on business associates could indeed be a game changer. But they also cautioned that negotiating business associate agreements could get tricky and potentially contentious in light of the new HIPAA rules.
In New York, Torie Jones, then chief privacy officer for University of Pennsylvania Health System – her coworkers called her "The HIPAA Lady," she said – emphasized that "the cloud is not going away; I think it's very appealing to healthcare organizations."
Clearly, this is a "new reality," she said, and "we need to figure out the best way to do it within the confines we've been given from a regulatory standpoint."
When the HIPAA Omnibus rule first came down the pike this past January, Jones issued a "prediction" that "business associate negotiations with cloud providers would get very tense … vendors would try to contractually disavow as much as they can."
So far, "in my experience, that has proven correct," she said.
When negotiating BAAs, "be prepared for the back-and-forth," said Jones. "And be prepared to see language that is completely unfamiliar to you, even if you've negotiated BAAs before," as vendors attempt to shield themselves from risk.
It may take "several, several rounds to get to a place where the provider and the business associate are both comfortable with the language," she said. "But go into it with the mindset that it's going to land eventually. You might circle the airport a few times, but you'll get there."
Stephanie Musso, RN, privacy officer at Stony Brook University Hospital on Long Island, agrees. "It's going to be challenging at times," she said.
At Stony Brook, "It was not easy to negotiate the business associate agreement," said Musso. "We had to relook at the vendor's storage security. They were, needless to say, a bit put off that we were asking them all these questions about the security of their cloud: 'Don't you trust us? We've been working with you for 12 years!' This is beyond trust. We have to dot the i's and cross the t's."
The BAAs "were not the easiest things to negotiate, but they did get done," she said.
But going forward, Musso wonders how many companies will have the inclination to go through this rigorous – and take on added liability.
"It's going to be a very interesting climate, identifying those vendors willing to jump into or stay in the healthcare realm with their cloud storage, and those who are not willing to because they don't want to jump through hoops," said Musso.
'We're protecting the privacy of our patients'
Speaking at the Healthcare IT News Privacy & Security Forum in Boston on Sept. 23, Phil Curran, chief information security officer at Cooper Health System in Camden, N.J., outlined the rigorous steps his hospital took to vet its cloud providers.
"The technical evaluation is an ongoing process," he said. "And once we're done with the tech evaluation, we'll send a team out to do a physical visit to the operations center of the vendor that we're looking at."
He added, "Many vendors don't like us, that we do this, but my opinion is that we're protecting the privacy of our patients. I really don't care about vendors' feelings."
As for crafting associate agreements, Curran enumerated some of the components he sees as must-have, such as, "incident response – how long does it take you to respond? How long does it take you to protect? How long does it take you to remediate? Those types of questions all go into the contract. A copy of the technical evaluation goes into the contract -– and let me tell you, they don't want to do that, because it holds them to what they say. It's very hard to get that in there, but you need to push to get it in there."
He added, "We put in our BAA that we want breach notification within 10 days of detection of a breach. Many (vendors) will come back and say, 'We'll let you know in 60.' I'll come back and say, 'I, as a covered entity, am responsible for that breach notification. It has to go out in 60 days. How am I supposed to do that? So, 10 days. Max I'll go is 15.' Most of them say OK."
Like Musso, Curran suggested that larger vendors might be better prepared for this brave new post-Omnibus world than the smaller companies who may balk at the new requirements – if they're aware of them at all.
Speaking of non-cloud business associates, Curran's "experience with vendors varies depending on the size," he said. "Some of the GE-and Epic- and McKesson-type vendors understand what their requirements are. But we have some companies that do transcription for our ambulatory offices. They have no clue as to what their roles and responsibilities are. You need to educate them."
You may well find that that requires "a lot of time," he said. "I was on the phone with one compliance officer for a total of eight hours trying to educate them about what their role was. It was obvious to me that they had no idea what HIPAA privacy and security was all about."
That sort of hand-holding may be an annoyance, but it must be done. After all, said Musso. "It's still your PHI. If it's the vendor you chose, and they fall short of complying with the language they agreed to in the BAA, even if they're the one doing the breach notification, it's your PHI, and it's your reputation."