Hi there. A a few months back, a client asked us to speak to a new vendor that they were thinking about doing business with. The cost of doing business with our client is that they were asking this vendor to sign what’s called a HIPAA Business Associate agreement. If you’re watching this video, you’re probably already familiar with the concept of a HIPAA Business Associate Agreement. It’s a legal document that basically says that you’re going to seriously safeguard any sensitive data that your clients entrust to you. In this case, this vendor had heard of HIPAA but really didn’t know what was involved in signing a HIPAA Business Associate Agreement. So if you’re being asked to sign one, we want to give you some thoughts that you can think through before you sign up, before you put pen to paper.
The first question you need to ask yourself is whether you have a HIPAA-experienced attorney. You need to have a lawyer who has experience reviewing HIPAA-related documents. They’re going to need to review your business associate agreement before you sign it and they’re going to be able to explain what your’e actually obligating your business to do. So ask your existing attorney how much experience that happened with HIPAA-related documents and, if they don’t, ask them for a referral to an attorney with a lot of experience either with HIPAA or in dealing with Medicare or with privacy laws in general.
The second question you need to ask yourself is how comfortable are you airing your dirty laundry to your customer. HIPAA Business Associate Agreements give your customers the right to audit your security program, to come in and bring a security expert and start poking and prodding at your company. This is now cost to doing business with the health care industry, everyone needs to be prepared to demonstrate that they have a strong security and privacy program and if you’re not comfortable with that idea (and it is a thorough review that a lot of these organizations do) then you need to seriously think about whether you can afford to do business with the healthcare industry.
The third thing to consider — one way to mitigate the cost of HIPAA compliance is to segregate your business. You’re not necessarily required to make your entire business compliant, and this was a very important for the vendor that we spoke with. They were being considered for a very small process that would handle what’s called PHI (sensitive data) within their much larger business so the thought of building a strong security program was daunting for this company. Not because they didn’t want to do it but because the cost to do so would be prohibitive. When we started focusing just on what it was going to take to make the actual process that handles sensitive data HIPAA-compliant, it became a lot more manageable.
Now this isn’t without risk. Be sure you understand that you need to take extra care to guard your PHI from the rest of your employees, so you really need to be able to segregate the HIPAA-compliant portion of your business from a physical perspective, from a technical perspective, and from a people perspective.
The next point that you should consider is that you might already be a HIPAA Business Associate even without signing the agreement. Your customers are probably asking you to sign the agreement because you’re probably already working with healthcare customers and you’re probably already receiving personal health information (PHI). If that’s the case, you have to comply with HIPAA whether you sign a contract or not, and there are some pretty serious implications to not doing a good job of complying with HIPAA.
The OCR, the division of the federal government under the Department of Health and Human Services, is handing out very stiff fines for organizations that experience a breach and it’s found that they were not complying with HIPAA while they were handling this sensitive data. There’s also the penalty of possible jail time if you just don’t pay any attention. So if you’re already doing business with healthcare customers, if you’re already handling sensitive PHI, you need to comply with HIPAA whether you sign a HIPAA Business Associate Agreement or not.
The fifth thing you should consider is whether or not healthcare is a strategic focus for your business. By not signing a HIPAA business associate agreement, you are probably going to lose the customer that’s asking you to sign it. It’s not because your customer’s trying to be mean, they really don’t have any choice in the matter. These agreements are required by law so ultimately this decision is going to come down to a cost-benefit analysis for you.
Even before you engage your attorney, you have to be able to weigh the amount of money and the amount of time you’re going to spend to build a compliant security and privacy program and the technology and the experts and the staff that are going to be involved in that versus the revenue you will lose if you turn away the business because you didn’t sign an agreement.
The last thing you want to consider — you really want to start with an assessment both if you’re handling PHI today or think of taking on new healthcare clients. You need to start with reviewing your existing security program. It’s going to show you the gaps that you have, the issues that you need to resolve, and a good assessment is going to be able to tell you what issues you need to address and about how much is it going to cost before you can really be comfortable having the level of security and privacy that’s required to take on healthcare clients.
It’s a good gut check… if you can’t afford a proper assessment/review, then you probably want to walk away from this part of the business. If you don’t have the stomach it takes to build a good security and privacy program from the ground up, you might be in the wrong field.
What should you do next?
Get some free help! Check out our free 42-Point Checklist for ways to make your practice HIPAA compliant.
Talk to us!
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!