Internal BAA Audits: Reigning in Costs, Improving Compliance

By Greg Waldstreicher, CEO, PHIflow

A decade ago, there was very little noise in the healthcare industry about Business Associate Agreements (BAAs). In fact, most professionals outside of legal and compliance departments had little knowledge of these important patient data protection directives.

Today, Business Associates are directly liable to the Office for Civil Rights (OCR), and BAAs have moved front and center as a critical component of HIPAA compliance due to OCR’s extended jurisdiction and steady increases in security incidents and breaches.

Regular audits of these contracts are important for informing breach readiness and response strategies, yet a recent Manatt report funded by the California Healthcare Foundation found that healthcare organizations are challenged to keep track of even the most basic, high level BAA oversight. It is not uncommon for an organization to not know the number of BAAs that exist or even where they are all physically (or electronically) located.

The reality is that many large health systems amass thousands of BAAs across facilities and departments, making ongoing auditing and management complicated. In addition, BAA terms have become increasingly strict, complex and multi-faceted—often going above and beyond the requirements of HITECH and HIPAA—due to expanded oversight from regulatory bodies, increased security risk and higher remediation costs associated with non-compliance.

Healthcare organizations recognize the need for ongoing oversight of BAAs, yet many are challenged to dedicate the time and resources needed for optimal management. Time is of the essence, and the executive suite needs a line of sight now into efficient ways of getting ahead of the BAA compliance curve that draw on a combination of technology-enabled processes and centralized management.

Internal BAA Audits: The Cost and Resource Challenge
While anecdotal, the following scenario paints a picture of the state of the industry as it relates to BAA audits and management.

A health system expands at a rapid pace over a five-year period, acquiring numerous hospitals and physician practices. Facilities and staff are spread across a wide geographic footprint, even extending across state lines. As a result of the expansion, the total number of BAAs under management of the new enterprise reaches several thousand. A total count of BAAs now eludes the executive suite, but more importantly, the specific terms and obligations of each agreement are inevitably overlooked. Contracts and agreements are now housed and managed in different systems across facilities, and ownership is shared by multiple departments. While financial incentives have driven consolidation across the industry, it has never been more important for enterprise compliance to keep up with business needs.

The resource requirements needed to conduct a manual, internal audit of BAAs make it cost prohibitive for many facilities. Due to the high volume of contracts required to conduct business across a large health system, some hospitals simply develop a contract template and make it available to their various business units to manage with little oversight from the central organization, according to the Manatt report. This practice can be problematic when an organization must respond in a timely fashion to a breach or security incident.

While some organizations turn to third parties for internal audits, the cost associated with these services is also high—typically more than $250 per hour for a HIPAA attorney. Low estimates point to timeframes of roughly 1 hour to read, identify and extract key elements from a single BAA. In one recent example, an organization paid $250,000 for services that simply included the extraction of organizational names and breach notification timeframes from 500 BAAs.

As a result of these cost and resource burdens, analyses often occur during times of panic and chaos—in response to security incidents or regulatory audits—and are characterized by tedious, manual processes.

A Better BAA Audit Strategy
Fortunately, there is a better way as the cost of non-compliance is potentially much higher. In recent years, the Office for Civil Rights (OCR) has issued penalties ranging from $31,000 for simply not having a BAA in place to upwards of $5.5 million for more serious offenses.

Regular audits can give the executive suite confidence that BAAs have been executed and are readily available in case of a security incident or breach. At a minimum, audits can be used to answer key questions such as:

  1. Does an agreement exist for all data-sharing relationships involving PHI?
  2. How many BAAs exist in our organization?
  3. Where are they housed?
  4. Who has ownership of BAAs?

Automated management of BAAs helps expedite the process of identifying all agreements and managing them centrally. The right technological framework can lay the foundation for timely access to all BAAs across an enterprise, improving compliance and ensuring readiness for audits or breach response.

Once consolidated, artificial intelligence can then be applied to BAAs to extract actionable insights for higher-level audit activity. Executives can identify key terms that help them better understand an organization’s liabilities and risks and how to proactively manage these areas of compliance. For example, many BAAs do not include a vendor point of contact. When a security incident presents itself, time is of the essence. A breach readiness strategy that identifies contracts with missing points of contact and their phone numbers, mailing addresses and emails can go a long way toward improving response and notification timeframes.

BAAs are a focal point of regulatory attention for good reason: they ensure all parties with access to patient information are following appropriate safeguards. Healthcare organizations need to elevate compliance strategies related to BAAs, and that starts with the right technological framework to promote efficient management and regular audits.