There are a wide variety of forces at work in healthcare that are causing healthcare organizations to outsource more and more of their technology and services. No doubt the move to the cloud has brought in a number of new organizations that didn’t previously host PHI for a healthcare organization. This has added hundreds of outside companies who now have access to your patients’ PHI.
In a recent conversation I had with Rita Bowen and Anthony Murray from MRO at the AHIMA Annual Convention they also commented how many organizations were choosing to outsource their ROI and other services in order to keep their staffing ratios down. What a tremendous insight. We’ve all seen those charts (see the one at the left) that show the growth in provider count over time versus the growth in the number of administrators. We all see these charts and see it as a big problem in healthcare.
In order to combat this perception, it’s no surprise that healthcare organizations are trying to keep these admin to doctor ratios at a better level. One way they’re massaging those numbers is to outsource more of their services. We could talk about whether this is a good strategy or not, but that’s a topic for another blog post. The reality is that these ratios and many other drivers are causing organizations to work with a growing number of outside companies.
I was talking with a hospital CIO who told me that they had 300 different health IT systems. As healthcare organizations have brought on more health IT systems and outsourced many of their services, we have seen what I call HIPAA BAA (Business Associate Agreement) Proliferation. Each of these health IT organizations and outside health services will likely need to sign a BAA.
Healthcare organizations are now managing hundreds of business associate agreements with hundreds of partners. Plus, this doesn’t take into account that many of your BAs also have subcontractors for which they need BAAs and so forth down the line. This cascade of BAAs that are needed by a healthcare organization has to keep a lot of risk managers and HIPAA compliance officers up at night. Unfortunately, I don’t believe that most healthcare organizations are doing a great job managing the hundreds and thousands of BAAs that their organizations need.
Rita Bowen and Anthony Murray from MRO offered one suggestion that could help HIPAA compliance officers and risk managers that are charged with managing the overwhelming task of business associate agreement compliance. They suggested that the volume of BAAs has gotten so large that it’s time to start evaluate BAA vetting efforts based on the amount of information being shared with the business associate. An ROI (release of information) company who has access to all of your patients’ PHI should be vetted differently than an IT service company who may have some tangential access to PHI but has no direct access. Does your BAA vetting process take this into account? My experience is that it doesn’t, but given the volume it probably should.
As health data breaches become more and more common, putting in an effective BAA compliance plan that effectively vets your business associates both during the purchase process and then after purchase and implementation is going to be key. Analyzing a business associate’s access to PHI and risk of being compromised is one strategy healthcare organizations will need to use to better handle BAA proliferation in their organization.
What are you doing to handle BAA proliferation in your organization? Are you seeing this happen? Does this keep you up at night? Let us know your thoughts and experiences in the comments.