BAs and HIPAA: Who they are, how to assess them and the importance of compliance structure


The relationship between a provider and a business associate can be a complicated one, especially when it comes to cybersecurity concerns. To that end, HIPAA lawyers, speaking on a panel at a healthcare security conference this week, highlighted what providers should look for when signing an agreement with a BA.

The attorneys, Adam Greene of Davis Wright Tremaine, Amy Leopard of Bradley Arant Blout Cummings, and Jim Wieland of Ober l Kaler, went back and forth on a range of topics during the event in the District of Columbia.

Here's what they had to say:

Who is a business associate?

"This seems like a simple question, but still can be a pretty big debate sometimes," Greene said. "We continue to see some challenges in this area."

Greene said one of those hurdles is the changing relationship between health payers and providers. There is increasing interaction between accountable care organizations and similar entities, especially when it comes to increased data sharing. That sometimes will lead to payers saying there needs to be a BA agreement.

Healthcare providers generally are not considered to be BAs of payers, Greene added. "No hospital wants to become subject to a health plan's security control."

Leopard added that changing roles causing providers to move more toward population health management, risk management and value-based purchasing is making them look more like health plans, so there's a lot of blurring of the lines.

Providers dealing with a commercial accountable care association or health plan insisting there needs to be a BA agreement can look to "the granddaddy of the ACOs"--the Medicare Shared Savings Program, Greene said.

"In the Medicare ACO rule they have a whole discussion of how HIPAA applies to the information sharing between Medicare, which is just another health plan, and how HIPAA allows Medicare as a health plan share information with the ACO network for purposes of their healthcare operations," he said.

Why not just sign it?

"Why don't I just sign it anyway," asked Wieland of the other panelists.

"Post-omnibus, I think there's become an attitude 'if it moves stick a business associate agreement on it,'" Greene said.

However, that isn't the best way to approach it, he continued.

"If something goes wrong it's bad enough having to pay your own breach bills, but someone else's breach bills under indemnification," Greene said. You may disagree whether there's a breach and they may think otherwise, so it's not necessarily a good thing to be a business associate."

The importance of compliance structure

It is very important to understand a BAs' compliance structure, especially whether the chief information security officer should be reporting to the chief information officer and whether that's a good compliance structure or if it's what one might call a conflict of interest, Greene said.

It's a big debate among covered entities themselves, but is that something to look at for BAs? he asked.

"There's some potential for a conflict, so you should think about that and think about ways to manage it and put safety valves in place," Leopard said.

Looking at not just an organization's policies but its structure can also give you an idea of its culture, Greene said.

"Is the CISO a low level person who doesn't have much sway in an organization?" he asked. "Or is it someone with really high authority in an organization?"