Regulatory Heat: Is Your BAA House in Order?

Posted on August 9, 2018 I Written By

The following is a guest blog post by Greg Waldstreicher, Founder and CEO of PHIflow.

Actions by the Office for Civil Rights (OCR) have clearly demonstrated stricter enforcement of HIPAA rules in recent years, specifically upping the ante on compliance with business associate agreements (BAAs). Much of this activity can be attributed to a grim outlook on security risks: globally, 70% of healthcare organizations have suffered a data breach, and a recent Ponemon Institute report found that the vast majority have experienced multiple security incidents involving protected health information (PHI).

BAAs play an important role in security as the framework by which an organization ensures that any vendor creating, receiving, maintaining or transmitting PHI complies with HIPAA. In recent years, these contracts have come under increased scrutiny amid high-level audits launched by OCR. Mismanagement of BAAs have thus far resulted in penalties ranging from $31,000 for simply not having a BAA in place to upwards of $5.5 million for more serious offenses.

While the stakes are high, healthcare organizations often lack effective oversight strategies for these important patient protection tools. In fact, it’s not uncommon for even the most basic information to elude the executive suite such as:

  • the number of BAAs that exist across an enterprise
  • where BAAs are located
  • the terms of each BAA

In an industry that has witnessed a significant uptick in security incidents and breaches in recent years, this current state of affairs is less than optimal. In truth, the reach of recent audit activity is still an unknown as the healthcare industry awaits full disclosure and recommendations from OCR. One of the latest OCR settlements —$3.5 million levied against Fresenuis Medical Care North America—resulted from multiple incidents that occurred in 2012, underscoring the lengthy timeframe associated with finalizing investigations and legal processes.

All told, current trends point to the need for better oversight and management of BAAs. While penalty activity subsided some in recent months as OCR went through internal transitions, industry legal experts expect that investigative momentum will continue to increase in proportion to heightened security risks across the healthcare landscape.

Unfortunately, healthcare organizations face notable roadblocks to getting their BAA house in order. Amid competing priorities, many simply lack the resources for tracking these agreements. Health systems are increasingly multi-faceted, and current trends associated with mergers, acquisitions and consolidations only exacerbate the challenge. The reality is that some large organizations have as many as 10,000 BAAs across the enterprise. Because these agreements are typically spread across multiple departments and facilities and have a multitude of different owners, managing them in a strategic way via manual processes is nearly impossible.

In tandem with the internal resource challenge, the language contained in BAAs has become significantly more complicated due to not only a fluid and evolving regulatory environment, but also the vital role they play in an overall security strategy. While a simple, cookie-cutter approach to these agreements was fitting a decade ago, BAAs are now intensely negotiated between covered entities and business associates and between business associates and sub-business associates, often involving HIPAA attorneys and resulting in requirements that go beyond HIPAA and HITECH. Subsequently, the terms of each BAA across an organization may vary, making efficient and effective management extremely difficult.

The good news is that there is a relatively simple solution—automated management of BAAs. The right technological framework can lay the foundation for timely access to all contracts across an enterprise, improving compliance and ensuring readiness for audits or breach response. Once consolidated, artificial intelligence can then be applied to BAAs to draw actionable insights in near real-time, informing key personnel of the key terms across all agreements.

The healthcare industry at large has drawn heavily on the promise of automation and data analytics in recent years to power more efficient and effective processes. Management of BAAs is no different and is an area ripe for improvement. Today’s healthcare executives need to consider the high stakes associated with ineffective management of BAAs and take action to shore up strategies amid greater security risks and a challenging regulatory environment.

About Greg Waldstreicher
Greg Waldstreicher is the founder and CEO of PHIflow, and the cofounder and former CEO of DoseSpot, where he worked at the forefront of the electronic prescribing (e-Prescribing) market for nine years. Under Greg’s leadership, DoseSpot licensed its SaaS e-Prescribing solutions to 175 healthcare software companies across the medical, dental, hospice and digital health markets. Greg received a B.S. from the University of Maryland College Park in Accounting and an M.S. from Northeastern University in Technological Entrepreneurship.