Why the need for these contractual agreements, and why should you care? In this article, I’m going to answer that as I guide you through what the BAA does, and why you need to know that not all BAAs are created equal in their ability to protect your organization.
Request a Consultation
Any Covered Entity (defined in HIPAA rules as healthcare providers, health plans, healthcare clearinghouses, and healthcare providers) that has an associate who assists them in caring for a patient in a way that handles PHI (protected health information) has to, by law, have a Business Associate Agreement (BAA) in place with that associate. Anyone that associate works with who also touches that PHI, must also have a BAA.
What is the Purpose of the Business Associate Agreement (BAA)?
The BAA is intended to protect patient data rights by establishing permitted uses and disclosures of their health information. It also requires the disclosure of breaches to that health information, and is a legally required document that outlines at a high level, the Covered Entity’s duties, and those of the Business Associate. The BAA helps to ensure patients can access their records, know to whom their records have been disclosed, and allow the patient to modify incorrect information about their health – a sad necessity with medical identity theft upswing in cybercrime.
What does all of this mean to a Covered Entity working with the cloud? First, it’s important to understand not all BAAs are created equal. They are contracts about shared responsibility models, and the amount of responsibility that is shared, versus held by you alone, can vary tremendously. Second, since you have to have a BAA you should take a step back and decide what you need it to say. Here is some helpful advice based on my review of nearly 1,000 BAAs over the last 8 years.
But before we get into who is responsible for what in the BAA, let’s look at the BAA in a slightly different light. Here’s another way to think about all this: I have kids. You probably do too. When mine were little and I had to leave the house, I would get someone to watch them. That sitter or nanny and I had a shared responsibility agreement. I didn’t just sign up and hand my keys and my kids to anyone who said they could come over and be in the same house. I dove deep and looked at qualifications and experience. What would they be responsible for? Would they be feeding my kids? If yes, what did they know about cooking and nutrition? One of my children had special dietary needs – no dairy products allowed; would they work with me to address that specific need in my home? And more…would they be driving? What kind of driving record did they have? How could they prove to me that they had a history of success in protecting other children they transported from place to place?
We had to discuss which decisions they were going to make (when to play, when to eat) and which decisions I would make (where to go when leaving the property) etc. I found a highly qualified, highly referenced nanny who had certifications like first aid, and we negotiated what we expected of each other. She ended up using her skills and knowledge to assume a lot of responsibilities for my kids, but I kept the primary or ultimate responsibility, while benefitting hugely from her help. This is the same way you can and should address your BAA. Think about what your unique needs are and find the right organization you can trust to share responsibility with you in a clearly articulated way.
So, back to healthcare. Let’s unpack what to look for in your BAA.
The ClearDATA Business Associate Agreement
Partnering with ClearDATA makes a strategic difference in your business model in a lot of positive ways and the BAA is one to note. The ClearDATA Business Associate Agreement is created with your requirements in mind. It’s not a one size fits all because your needs are unique, and your business objectives likely vary greatly from another customer in a different scenario. Therefore, your needs for protecting PHI when using HIPAA eligible services in the cloud are also unique. In fact, we write the BAA to envelop the nuances of each cloud provider (AWS, Google or Microsoft) you plan to use so you only need one BAA with us as your multi-cloud, healthcare platform and cloud services provider. This benefit alone will save a lot of time, paperwork, time with attorneys and ongoing contractual maintenance.
Distinctive Differences in BAAs
So, let’s talk about some of the ways the ClearDATA Business Associate Agreement may differ from the BAA you’ll get if you go directly to the cloud, whether you are going to AWS, GCP or Azure. Though each differs slightly, a few generalities exist that are important to understand. First and foremost, the cloud providers BAAs are relatively set in stone and primarily cover only foundational services. For example, you are not likely to negotiate down the time they can take to notify you in the event of a security incident, and in many cases that could pin you to waiting 30 days to find out. Your stakeholders probably want to know sooner. And, you will be required to be an expert on configuring that cloud’s HIPAA eligible services to make them HIPAA compliant, bearing in mind that this will include cloud security and vulnerability management —including the highest levels of logging, data retention, OS hardening, encryption, and much more. This also requires keeping up with new updates and services released by the cloud – a number that can exceed 1,500 a year. Unless you have full-time staff that have deep expertise in cloud architecture focused on just staying abreast of updates, you’re probably going to fall out of compliance and unknowingly create security gaps.
In short, you as the customer have to be solely responsible for configuring those HIPAA eligible services to be HIPAA compliant all the time. In our experience, not a lot of providers, payers, life science companies, or product companies have expert staff on hand to do this.
And, any accompanying indemnification or liability coverage will be limited, if it exists at all. Typically, indemnification and liability only cover what you as the customer have paid to that cloud, when the costs to you in the event of an incident may far exceed that liability limit. So, what is the solution?
Negotiating a Purposeful BAA
By making ClearDATA your strategic cloud partner, you will be able to negotiate your BAA directly with ClearDATA to meet your legal requirements and address the specific needs of your business across all three clouds. ClearDATA may take on the responsibility of configuring all HIPAA eligible services. In the HIPAA Security Rule, you will see many actual references to the term reasonable security measures. Many healthcare organizations struggle to know what that means in today’s technological landscape some 20 years after the rule was written. ClearDATA contractually defines security measures sufficient to reduce risks and vulnerability to reasonably appropriate levels by complying with the HITRUST Common Security Framework and aligns the latest cloud innovations to those standards evidenced in reference architectures and prescriptive control integration. What this means to you is we take more than 3,700 standard framework regulations, at the state, federal level, and international level, as well as industry levels, and assimilate them into 19 domains:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging and Monitoring
- Education, Training and Awareness
- Third Party Security
- Incident Management
- Business Continuity and Disaster Recovery
- Risk Management
- Physical and Environmental Security
- Data Protection and Privacy
We’ve signed up to be responsible for automation and remediation around more than 570 controls in these 19 domains to help keep you safe in the cloud. That packs some resource-saving punch when it comes to saving your team time to focus on your core competencies and business objectives. And, if you’re reading that list of bullets and thinking that takes some pretty specific skill sets, you’re right. Our team is hired and continually trained to be able to do this in a healthcare environment. That’s hard to find.
Advanced Shared Responsibility Model
In looking at this image above, the boxes shaded light blue and dark blue are within the scope of the ClearDATA Business Associate Agreement. (The dark blue is what you can typically expect if you get your BAA directly with your cloud provider, the rest is completely on you.) With the ClearDATA business associate agreement, you’ll typically have responsibility for the white boxes.
You get our expertise for configuring accounts and services, so they comply with applicable HIPAA rules. You get a purposefully–negotiated BAA that meets the needs of your organization – on any cloud you choose. You get reasonable indemnification and limits of liability in the master agreement that accompanies the BAA. You get our shared responsibility for a broad list of services that would otherwise fall to you to be responsible for: i.e., the operating systems, the network, firewall, and platform. And we bring you aggressive adherence to reporting and visualizations of security incidents and breach indicators. In fact, we take that a step further in our co-investigative model. We involve you in the investigation of any serious security incident, usually within hours of incident indication.
And here’s a great example of how we approach shared responsibility and our commitment to protect you: We commit to working with you to mitigate areas of vulnerability that we discover, even if we didn’t cause them and we were not part of the issue. HIPAA refers to this as “mitigating harmful effects.” We’re not going to look away and only watch for the domains we configured. For example, you might have an issue that requires risk mitigation. Instead of ignoring it because it wasn’t stated explicitly in our agreement, we’ll call to let you know we see an issue that could present risk. It’s part of our DNA to go the extra mile when it comes to protecting your business and your PHI. That’s part of why hundreds of healthcare organizations large and small have partnered with ClearDATA.
There’s more to consider when thinking about your next BAA. Because a BAA flows down from the Covered Entity to the business associate and each subsequent vendor who comes in contact with the PHI, our BAA is negotiated to meet the flow down requirements of you and your customers. This means if you make a significant change in your business model, you don’t have to rewrite dozens of BAAs. We amend one.
We strive to be your most important strategic partner in the healthcare cloud. Our healthcare platform is built on a foundation of HITRUST and our products and services are designed to help you meet your business objectives while maintaining privacy, security, and compliance. Our purposeful BAA is an additional way we support your organization.
Contact us today to discuss your business goals and we’ll show you how we can take a lot of the burden of making those goals into a reality, taking that burden right off your shoulders.