I review Business Associate Agreements (BAA’s) as part of our HIPAA services. I went to school for this and decided contract review sounded like a crummy life to live, so I quit. Ironic twist of fate, huh? I actually enjoy this part of my job now, especially in dental since many vendors don’t even know HIPAA applies to them. I get to be “that guy” that notifies businesses of their deficiencies and disturb their profitable bliss of ignorance.
When I’m looking at BAA’s there are a few things I look for that are automatic red flags. Here are a few that you should be aware of:
If it looks basic, or has too much legal jargon, chances are that it is a stock template. Vague language covers HIPAA Compliance requirements, but doesn’t explain actual risks that the Business Associate may pose or the scope of their duties or products.
One Page BAA
This is another easy red flag. If its short, it likely doesn’t have the items that are required, and it leaves you open to a lot of vulnerability.
Dated Before September 2013
BAA’s that are dated before this date do not have the current requirements that were laid out in the Omnibus Final Rule of 2013. Many of these provisions are for your protection as a Covered Entity from non-compliant Business Associates. Look carefully for this date.
Breach Notification Responsibility
Who is supposed to notify your patients that their information was breached? You are. Yet, I have seen numerous BAA’s that state the vendor or Business Associate will handle all aspects of the breach. Ask yourself if you really want the entity that was insecure enough to have a data breach responsible for the message given to your patients about that breach? I sure wouldn’t.
The harm standard means that the patient has to prove they have been financially or reputationally harmed as the result of a data breach in your practice. Omnibus disallowed the harm standard in 2013 because it is almost impossible to put a statue of limitations on time for harm to a patient from your data being compromised. An identity isn’t like a credit card — it can’t be re-issued. Identities are sold and re-sold on the black market for years and many thieves wait extended periods of time before using them.
Despite this law being in effect for 3 years, many vendors as Business Associates still have the harm standard. I usually see the following language:
“We agree to mitigate, to the extent practicable any harmful effect of a data breach.”
If you sign a BAA that has this and that vendor does cause a data breach, you will have to hire an attorney to invalidate the BAA and attempt to go after the vendor directly. Many large vendors count on this as a way to shift financial responsibility back to you. Either way, you end up footing the bill.
I rarely see language where a Business Associate/vendor accepts financial responsibility for actions that led to their causing a data breach. Not only is this a red flag that they don’t take responsibility, but it also alludes to the fact that they probably aren’t insured and possibly aren’t properly securing the sensitive information your patients entrust you with.
In addition, most Cyberliability/Data Breach Insurance Policies do not cover Business Associates or risks they pose to you. This makes it even more important for you to properly vet your vendors to limit your risk. See Cyberlibility & Data Breach Insurance Post
This is by no means an exhaustive list, but they are definitely a good indicator that you need to look harder at this vendor before you allow them access to your Protected Health Information.