In this episode of the HIPAA Vault Show, we’re diving into the critical world of Business Associate Agreements (BAAs) – the legal linchpin for healthcare organizations and their vendors in ensuring HIPAA compliance and safeguarding patient privacy. We’ll unravel what BAAs are, their significance, and why they’re far from optional or one-size-fits-all documents. As we debunk common misconceptions, we’ll explore the mandatory elements that make BAAs effective, such as defining terms, outlining responsibilities, and specifying indemnification. Plus, we’ll tackle the challenges of negotiating and implementing these agreements, including how giants like Microsoft, Google, and Amazon approach BAAs. Join us as we navigate the complex landscape of BAAs, shedding light on their role in protecting sensitive patient data and the hefty penalties for non-compliance.
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello, and welcome to the HIPAA Vault show, where we discuss all things HIPAA compliance and the cloud. My name is Adam Zeineddine, and I’m joined, as always, by the CTO and founder of HIPAA vault, Gil Vidals.
Gil
Hey, Gil. Hey, Adam. Good to see you again.
Adam
Yes, great to see you. We’ve got some very interesting topics to talk about today on Friday, and we. We haven’t talked about business associate agreements in a while, so I’m excited to dive into the nitty gritty with you on that.
Gil
Well, I don’t know. Ba said a legal contract could sound kind of boring. Do you think we can make it?
Adam
Oh, yes, absolutely. We’ll make it very exciting for the listeners and viewers. Okay. I might do a little dance just to spice things up.
Gil
All right.
Adam
Get things more interesting. But before we dive into it, we’ve got our data breach for the week to review. So let’s dive into that here. This is a big one. So the headline is, malicious insider incident at Montfiore Medical center results in $4.75 million HIPAA penalty. So the HHS Office for Civil Rights, OCR, has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act. HIPAA. Montfiori Medical center has agreed to settle the investigation and has paid $4.75 million penalty to resolve the alleged HIPAA violations.
Gil
Wow.
Adam
So with this one penalty, the Office for Civil Rights has already exceeded its total collections from its HIPAA enforcement actions in 2023. So that in one penalty, it’s exceeded 2023 total. And it’s the largest financial penalty to be imposed by OCR since 2021 in January. And that was 5.1 million for exiles health plan. And then it goes on to say, which is interesting as well, that the exalus penalty back in 2021 was in response to a breach of PHi of 9.35 million individuals. This one with Montfiori medical centers penalty stemmed from only PhI of 12,517. Only in comparison to the 9.35 million. Yeah, it is a smaller amount, but the scale of the data breach is taken into consideration when determining the appropriate penalty.
Adam
So they’ve obviously looked at what went on behind the breach and gone with a really high penalty because of it.
Gil
Yeah, this breach was, well, different. And the most common breaches, of course, are from what we call a bad actor. Right, a bad person. That a cyber attacker that’s coming in from the outside. But this one was from an insider. An employee was collecting patient information, including names, Social Security numbers, personal identifiable information, and they were selling it. So they were profiting internally by doing that. And so that’s different. And that’s not your typical, oh, we got a hacker that came in. No, this was an employee who had access to the data. They just copied it and sold it. Doesn’t make it any better in terms of paying the 4.7 or 4.8 million, but it is different. And that’s kind of a downer. That’s kind of a bummer because these companies spend so much money protecting from an attacker from the outside.
Gil
But we can’t forget the attack from the inside, too.
Adam
Yeah.
Gil
It’s like, oh, my gosh. Got to protect everything. Both.
Adam
Yeah. It’s alleged that the. Well, they reported that a breach happened back in 2015, and then there’s more info. It goes on to say the insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization, also between 2018 and 2020.
Gil
Yeah.
Adam
So I guess that’s probably why they’ve gone for a really big hit on the penalty. There’s different tiers to the way that they find, and I think probably would have been in the top tier.
Gil
Well, that’s a good way to segue into the BAA. So the BAA is important because it’s basically a legal document between the covered entity and the associates. So those listeners that are in the healthcare sector that have business, you have multiple people touching PhI data. The BA is there to define what the roles and responsibilities are of the patient information, the medical data, and it know clearly delineates who’s doing what to the data. That’s pretty important. Adam, I think some people may be know grabbing a quick vaa template off the website. Just signing it here. Let’s just sign this thing. But you should be careful. It’s more than just a checkbox.
Gil
It’s not something you do when you need to think about it because it will have repercussions if there is a breach, that you’re going to go to that document to find out who’s responsible for what. And I think that’s worthy of consideration. Right. Taking your time with that one.
Adam
Yeah, I’m sharing that model business associate agreement on the screen here for the viewers. Listeners, if you want to check this out, it’ll be in the description. This is from the HHS gov website, and it’s a model business associate agreement that you can use and tailor to your needs. Gil, what are some misconceptions that you found come up or misunderstandings with healthcare providers or vendors that they might have about BAAs.
Gil
Well, besides that, some business partners may be in a big rush to just get a deal done and they just want to grab any old template and sign it. It’s okay to get a template, like we’re showing a template here. And HHS provides templates, so there’s nothing wrong with the template per se. But the issue is, when you just use the template without reading it right or without studying it, there has to be some thought put into it, and so that would probably be a big mistake. Another one might be to accept all the defaults. There’s a paragraph in these templates that talk about how many days go by before a brief is notified, where all the parties are notified. So let’s say Ba assigned with two or three partners, you need to be specified.
Gil
Some of the defaults might be too long for your particular circumstance. If it says, oh, they can allow them 30 days, well, a lot can happen in 30 days. That’s too long. But one day is too short. Right. If something, you suspect something’s happening, you need your tech team and your cyber partners. They need time to review it. So one day is too short. But anyway, it’s the whole evolution of thinking about it, trying to be realistic, putting some real values in there that are meaningful. Yeah.
Adam
What are some challenges that come up in the negotiation for BAAs, like differences in the interpretation or evolving regulations for compliance?
Gil
I’ve seen some bas that are pretty thorough. At the top, they have a section, they call them definitions, where they clarify any and all terms that could be ambiguous. So that would be important to disambiguate any potential terms. So that’s what I would say about that. But I can’t think of any other. I mean, it’s a legal document, so you know how it is with Legalese and that you have to just read through it carefully. It should make sense to you. By the way, choose a template that’s not overly full of legalese. There are good, strong legal documents that seem to use just regular English instead of the here two fours and whereas. And all that stuff. Yeah. Just because it’s written in legal sounding language doesn’t mean it’s a good legal document. I’d rather have one that sounds like normal English.
Gil
And yet it’s very robust. Yeah.
Adam
And it’s good that there is flexibility with, let’s say there’s a covered entity that has already got their business associate agreement in place. They can ask their vendors to sign it and then vice versa. The covered entity might be a new startup and not have a BAA in place and they can ask to sign the vendor’s BAA. I think another important point is that the BAA doesn’t go into the details of the technical aspects or the configuration that HIPAA requires. It just has some clauses that say, comply with HIPAA law, and then HIPAA law can change and evolve as is moving forward. And that doesn’t necessarily mean the BAA needs to change. So it’s flexible in that sense. Gil, one final question on this. What about the big companies, the big tech giants, do they sign?
Adam
Like, how do you get them to sign a BAA?
Gil
Yeah. So for know, Azure and AWS as the Amazon Web services and Google Cloud platform known as GCP, they all actually do sign Vaas. Now. It’s more of an automated process. You’re not like talking to some guy on the phone and he’s going to get a piece of paper and sign it. They have some automated program where if you’re a partner of any of these big cloud providers, then you certainly can get one signed. So typically what happens is a partner has a relationship with one of the big cloud providers. They have one BAA signed with that with the big cloud provider, then this partner company then has relationships with a whole bunch of other companies. Let’s say, like in our case with HIPAA Vault as an example, HIPAA Vault has a BAA signed with Google.
Gil
Now we have a bunch of customers and they sign a BA with us. So it’s a chain. The customer signs with us, we sign with Google. So that works beautifully, because otherwise it’d be a nightmare if our customers had to sign directly with Google, where the hosting servers are, that would be too crazy and too hard to manage. So chaining bas is actually a viable and best practice. So that you have a chain of BAAs, one links one partner to another partner. They’re chained together. And that’s okay. That’s a good way to do it.
Adam
Great. Well, you’ve answered. I was going to throw in a follow up question there. Does HIPAA vault engage in BAAs? But I think you answered the question there.
Gil
Yeah, we do. And it’s important so we do that. We’ve been doing that for years, even before it became a popular, well known thing. We were doing it a long time ago because we knew how important it was. But yeah, if our audience is thinking about some kind of healthcare app that they have, whether it’s going to be in woocommerce, WordPress or whatever. And you need to talk to us just to ask us some questions about what you’re doing or you need any advice, then don’t be shy. I reach out to Adam and I, we can help answer questions. Yeah.
Adam
Podcast@hipaavault.com, as always. Or reach out to us in the comments. And, yeah, we’ll get back to you with answers to your questions. Well, that’s it for this week, unless you had anything else, Gil?
Gil
No, that’s it. Looking forward to seeing you next week, Adam.
Adam
All right. Thank you for viewing. Thank you for listening. Happy Friday and thanks for stopping by.