How does your BAA (Business Associate Agreement) address breach notification to your clients? We’re asking ourselves tough questions about HIPAA compliance, and our responsibilities as a trusted Business Associate and hosting partner.
#1 What timeframe does your BAA promise clients for PHI breach notification?
As a data center hosting partner to hospitals, physician groups, and health IT companies, we want to be a trusted Business Associate. We consulted experienced health care attorneys and HIPAA auditors to fully understand our responsibilities. Together we created a Business Associate Agreement (BAA) that reflects HHS requirements for timely breach notifications. We’ll share the exact language with you below.
Why preparing for PHI breach notification is critical for Business Associates
Speaking from our own experience, Online Tech serves the health care industry with colocation, managed servers, private and managed clouds, and disaster recovery. A lot of PHI flows through our networks and resides in our servers, clouds, and storage. 62% of the breached records reported to HHS, or 4.4 million, involved a Business Associate. The costs of a PHI breach to patients, Business Associates, and Covered Entities are high with HHS penalties, and lawsuit damages of $1000 per breached patient record.
Anything short of 100% HIPAA compliance puts any Business Associate, their clients, and their patients at undue risk. We weren’t comfortable assessing our own state of HIPAA compliance, so we invested in the expertise of independent health IT security specialists, auditors, and attorneys.
What timeframe does Online Tech’s BAA promise for PHI breach notification? ?
HHS requires extensive documentation within 10 days of a PHI breach — documentation that must be prepared well in advance. Online Tech’s preparation included an independent risk assessment, remediation, and complete HIPAA audit of all 54 HITECH citations across our company policies, procedures, facilities, and HIPAA security training by Certified HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions. Our BAA was prepared in accordence with HITECH requirements with the help of experienced health care attorneys Brian Balow and Tatiana Melnik from Dickinson Wright.
Click here for Online Tech’s BAA Breach Notification Timeframe Clause.
Next week, we’ll discuss preparing for an independent HIPAA audit and the end deliverables.
BAA Breach Notification Clause
OCR Audit Requirements Following a Self-Reported HIPAA Breach
Who Needs to be HIPAA Compliant?
HIPAA Resources: Policies, Procedures & Training Materials
HIPAA, HITECH, BAAs and the Law: Concerns & Best Practices
What’s in a Business Associate Agreement?
HIPAA Compliant IT Security and Best Practices