BAAck to Basics – 4 signs you are over-complicating your BAAs
No two BAAs are exactly the same. We’ve looked at some of the variations before, but lately, we’ve seen more BAAs floating around out there that are pretending to be things that they’re not. In a world of increasing security complexity, contracting needs a back-to-basics approach to the BAA. Check out the key ways we’ve seen BAAs masquerading as unnecessarily complex contracts.
Sign #1: Is it more than 3 pages?
Back to Basics: Keep it simple
Most standard BAA provisions can be expressed in a sentence or two. Don’t believe us? HHS agrees! The Business Associate Obligations in their sample language only contain 335 words. While you may need a little more specificity, depending on the relationship between the Covered Entity and Business Associate (more on that in a moment), concepts like accounting of disclosures, hearing procedures, or secretarial review rarely need embellishment. Even more complex topics such as appropriate safeguards probably shouldn’t stray too far from a basic commitment in the BAA to Security Rule compliance, which leads me to my second sign that it’s time to simplify:
Sign #2: Do you have a Security Exhibit?
Back to Basics: A BAA is not a Security Exhibit
As the cybersecurity threat to the health care industry continues to grow, so does everyone’s awareness of protecting PHI. While there’s a definite need to establish expectations, the better tool to house that discussion is a security exhibit separate from the BAA. Not only do the BAA and security exhibit have different purposes (the BAA describes what needs to be done to comply with HIPAA, a security exhibit sets forth cybersecurity requirements generally), the two documents have vastly different audiences. Additionally, security requirements can vary widely from vendor to vendor, requiring changes to the Security Exhibit. Meanwhile, whether the Business Associate is a two-employee consulting firm or a 20,000-employee share hosting provider, HIPAA applies to both equally.
Sign #3: You have multiple BAAs
Back to Basics: One size fits almost all
While there are a couple of places in a BAA that may require minor tweaking based on the Business Associate and the services that they provide, most BAAs can (and should) be the same, regardless of the Business Associate. Remember what the BAA represents: Compliance commitments under HIPAA. Every entity that interacts with PHI must comply with the same HIPAA requirements. Your BAA should set the rules of the road for everyone. Differences should be hashed out in other agreements, which leads to my last point:
Sign #4: Your BAA stands alone
Back to Basics: Don’t overlook the value of other contracts
The BAA is the beginning of the security and compliance conversation, not the end. An ideal BAA is laser-focused on HIPAA and what that means for the relationship between the parties. Details around the data being exchanged, how it may be used, and what must be done to secure it are best left for the agreements that a BAA should accompany. It is always easier to attach a two-page BAA to an MSA and Security Exhibit than it is to distill everything from those documents into a BAA.
Ready for a BAA overhaul so you can simplify your contracting? Let’s talk.