HIPAA BAA Proliferation

There are a wide variety of forces at work in healthcare that are causing healthcare organizations to outsource more and more of their technology and services. No doubt the move to the cloud has brought in a number of new organizations that didn’t previously host PHI for a healthcare organization. This has added hundreds of outside companies who now have access to your patients’ PHI.

In a recent conversation I had with Rita Bowen and Anthony Murray from MRO at the AHIMA Annual Convention they also commented how many organizations were choosing to outsource their ROI and other services in order to keep their staffing ratios down. What a tremendous insight. We’ve all seen those charts (see the one at the left) that show the growth in provider count over time versus the growth in the number of administrators. We all see these charts and see it as a big problem in healthcare.

In order to combat this perception, it’s no surprise that healthcare organizations are trying to keep these admin to doctor ratios at a better level. One way they’re massaging those numbers is to outsource more of their services. We could talk about whether this is a good strategy or not, but that’s a topic for another blog post. The reality is that these ratios and many other drivers are causing organizations to work with a growing number of outside companies.

I was talking with a hospital CIO who told me that they had 300 different health IT systems. As healthcare organizations have brought on more health IT systems and outsourced many of their services, we have seen what I call HIPAA BAA (Business Associate Agreement) Proliferation. Each of these health IT organizations and outside health services will likely need to sign a BAA.

Healthcare organizations are now managing hundreds of business associate agreements with hundreds of partners. Plus, this doesn’t take into account that many of your BAs also have subcontractors for which they need BAAs and so forth down the line. This cascade of BAAs that are needed by a healthcare organization has to keep a lot of risk managers and HIPAA compliance officers up at night. Unfortunately, I don’t believe that most healthcare organizations are doing a great job managing the hundreds and thousands of BAAs that their organizations need.

Rita Bowen and Anthony Murray from MRO offered one suggestion that could help HIPAA compliance officers and risk managers that are charged with managing the overwhelming task of business associate agreement compliance. They suggested that the volume of BAAs has gotten so large that it’s time to start evaluate BAA vetting efforts based on the amount of information being shared with the business associate. An ROI (release of information) company who has access to all of your patients’ PHI should be vetted differently than an IT service company who may have some tangential access to PHI but has no direct access. Does your BAA vetting process take this into account? My experience is that it doesn’t, but given the volume it probably should.

As health data breaches become more and more common, putting in an effective BAA compliance plan that effectively vets your business associates both during the purchase process and then after purchase and implementation is going to be key. Analyzing a business associate’s access to PHI and risk of being compromised is one strategy healthcare organizations will need to use to better handle BAA proliferation in their organization.

What are you doing to handle BAA proliferation in your organization? Are you seeing this happen? Does this keep you up at night? Let us know your thoughts and experiences in the comments.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

1 Comment

  • There are so many contributing factors to the proliferation of BAAs. First and foremost, we need to go back in time to the early practices under HIPAA. Back in the day, most healthcare organizations had EVERY new “vendor” sign a BAA, whether they actually shared PHI or not. The rationale/belief back then was that this practice was a defensive measure against “incidental contact” with PHI.

    Fast forward to today. Most organizations are left with the legacy of that bad practice of yesterday. They maintain BAAs with third parties that are not BAs at all. The result? They really cannot produce an inventory of ACTUAL BAs. Further, as the OCR audits and investigations have revealed, the root cause that gives the OCR the greatest concern (and ammunition, if you want to look at it through that lens) is that organizations simply cannot account for their PHI generally. This has been identified over and over as the greatest deficiency of the risk analysis in the OCR’s findings and why nearly every organization fails on this implementation specification.

    So this issue is and always has been bigger and more significant when you look at security and privacy operations more broadly. The real problem is that most organizations simply have no concept of their sensitive data footprint. When we work with clients around third party risk management, we start with the data, sensitive data specifically, in the form of ePHI, PHI, PII, and other data/information assets like intellectual property, company-confidential, etc. After all, we are not architecting security for HIPAA, we are architecting security/privacy to protect our valued data assets…all of them, not just PHI. When you start with the data, the landscape of “vendors” that an organization should care about is greater than just BAs.

    Certainly getting control of the BA inventory and BA risk, is a fine place to start, but organizations can gain so much more. The process to tackle BAs and sensitive third parties is the very same when you employ a data-driven approach.

    The MRO team suggests that the “volume” of PHI shared with a BA is a good place to start vetting BAs. But this presumes that organizations know what they are sharing with whom in the first place, and in our experience, this question raises a lot of blank stares around the conference room table.

    There is a common sense and systematic approach to identifying and managing third party IT privacy and security risk. It starts with defining and understanding an organization’s sensitive data footprint. I look forward to your comments and to speaking with anyone that would like to learn more about our data-driven approach.


Click here to post a comment