A Business Associate Agreement isn’t just another simple bit of paperwork. The liability commitments in your BAA and the business relationship it defines are very serious and very important in defining clearly the responsibilities of both parties. Lately, we have had to ask a lot of questions like what is in your BAA and today we discuss what we have been seeing out there in the wild, so to speak.
In this episode:
What’s in your BAA? – Ep 233
2020 Sessions Dates Coming Soon
March 24, 25, 26
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
SHOUT OUT TO OUR PATREON SUPPORTERS
George Fenton – Kenneth Sims
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
What’s in your BAA?
We actually had another episode planned for today but that will come next week. The reason for the change is we both had to vent about something. Business Associate Agreements are not just paperwork! They are a legal contract that defines responsibilities that come with some pretty hefty liabilities. We beg of you – read them, understand them, and do your best to follow them to the letter!
What did David see in a BAA?
David has been looking for a new vendor that provides email encryption and email security services that he can provide to his clients along with managing and monitoring the services. He found one that he was interested in working with, called Barracuda Networks.
Now, you may have heard of Barracuda Networks. They are a global technology company with thousands of clients, like David’s IT firm, that resell their Barracuda MSP platform. We’re not talking about a small company. They have in-house counsel, so one would assume they have it all together.
Since Barracuda would be a Business Associate, David asked for the BAA so that he could review it BEFORE he signed any other contracts with this vendor. So, the sales rep pushed the request to their in-house counsel and David received the BAA.
Here’s what David found on his review of Barracuda Networks’ BAA:
Well, this is a bit impossible to do since the NPP is a document specific to Covered Entities, not Business Associates. How can David even fulfill this? He can’t!
Let’s see what else David found:
Ok. No real issue here, except as we’ve discussed before on this podcast, being notified of “any security incident” needs to be defined further. Otherwise, there will be a massive amount of reporting that will need to happen. Here is the text that David recommended they consider adding to this section:
The parties agree that this section satisfies any notices necessary by Subcontractor to Business Associate of the ongoing existence and occurrence of unsuccessful Security Incidents for which no additional notice to Business Associate should be required. For purposes of this Agreement, such unsuccessful Security Incidents include, without limitation, activity such as pings, and other broadcast attacks on the Subcontractor’s firewall, port scans, unsuccessful log-on attempts, denial of service and any combination of the above, so long as no such incident results in unauthorized access, use, or disclosure of Electronic PHI.
Do you see what this additional section does? It identifies and defines a more reasonable and appropriate expectation of reporting security incidents. This benefits both parties.
Lastly, David found this:
Do you see what’s wrong with this picture? No, it isn’t that the field names read “Covered Entity”, although that could be confusing and is certainly someone being… shall we say… less than detailed in their work.
No, the issue here is that Barracuda (who is the Subcontractor) is asking the Business Associate to sign as the Subcontractor… and they are listed as the Business Associate!
Here we have a BAA that has been created, reviewed, approved and circulated by the legal counsel of a large company and we have some really obvious mistakes.
Ok, Ok, so they have some mistakes in the BAA so what did David do and why is this a rant, worthy of making it on the show?
Here’s where the wheels start to fall off in this story.
David sends an email over to the rep at Barracuda and points out the problem with requesting NPP’s from a BA. He goes into detail about why the section about reporting “any security incident” needs to be better defined as to be reasonable and appropriate. Lastly, David mentions that the signature section of the agreement is backward.
Now, one would think that Barracuda would read the email, look at what David is referring to and then make, at least some of the changes that were recommended. Ummm… No… The email reply that David received from the Partner Development Manager was the following:
I was waiting on the response from legal to confirm.
Our BAA is standard across our thousands of partners. We do not change any of our contract term across any of our agreements.
I apologize that the terms do not match your needs.”
Wait… What??? Let me get this straight Barracuda. Your BAA (the legal contract that outlines your responsibilities to follow HIPAA and protect the Confidentiality, Integrity, and Availability of Protected Health Information) has mistakes in it and when this is brought to the attention of your legal team the response is basically, nobody else has a problem signing this; we don’t change contract terms; sign it or go away.
Listen to this episode to hear details about what David did next and the complete runaround that ensued with Barracuda’s legal team. Frankly, given the craziness David experienced with the BAA, he has little faith that Barracuda is following it’s heavier HIPAA requirements.
This story highlights the need to review the BAA, know what should and should not be in it, and make sure you are vetting your vendors. Be sure the terms of the BAA are correct!
You can’t just assume the terms of your BAA are enough though!
Guess what happens when you start asking questions though? David found that out in his process when asking his initial questions. That shows you that you really have to take it further to make sure they really intend to follow the contract and not just treat it like paperwork. We have had people argue that they don’t have to do things even when we point out “that is exactly what is in your BAA”!
Example due diligence survey answers
What method do you follow when you do your SRAs?
Annually, we review all applicable regulations, including HIPAA, PCI and other industry requirements. The control is tested and the maturity of the control is documented. The residual risk of the control is document in accordance with our pre-defined risk scores. Results are shared with Senior Leadership for approval of mitigation or acceptance of risk.
Do you have an associated risk mgmt plan for your most recent SRA?
Not Applicable we had nothing to address
Did you have an associated risk management plan for your previous SRA?
Not Applicable we had nothing to address
Who will notify us in the event of a data breach in your organization?
Clients may contact their dedicated Account Manager, or email Privacy@ourdomain.com
What training has the HIPAA Security Officer had that is specific for compliance officers?
Our Security Officer is a Certified Information Security Manager and completes at least 32 hours of Continued Professional Education annually. This includes conferences and independent study. Most recently, our Security Officer obtain the Cisco Certification for Cyber Ops (CCNA Cyber Ops).
There are so many red flags here it starts to look like a red flag corp marching across the screen. These folks had no problem signing anything at all in a BAA. It could be your BAA or theirs or a template off the web. They don’t care just fill out the paperwork and let’s move on, right?
We see so many of these cases once we start asking a few questions. We could go on and share more but it gets redundant after a while. It is interesting that if you keep asking questions you will eventually get someone to admit they don’t really have a program or blow up at you for having the audacity to ask such questions. Keep in mind, this is your business, your reputation, your patients, your clients all on the line so what is in your BAA will matter at some point. Hopefully, it will not be one that causes you to regret treating these contracts like nothing more than paperwork. After all, OCR has told us when there is an issue involving a BA the first question they will ask is what is in your BAA.
As you can tell we have had more than our fair share of frustration lately. The misinformation or whatever is causing people to believe they have things perfectly under control is creating openings that could damage our businesses, reputation, or worse, our clients. The frustration level we experience with this just has to be vented sometimes. Thanks for hanging out with us while we had one of those moments! Oh, and do you know what is in your BAA?
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!