I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see business associates.” A big problem is that many covered entities (CEs), as defined by HIPAA, do not know all the entities doing work for them that are defined as being business associates (BAs) under the expanded definition under the Final Omnibus Rule, and according to guidance provided by the Department of Health and Human Services (HHS) (e.g,. just one of many such documents and releases discussing the broadened definition of a BA). And, what may be of more significance, many organizations that really are BAs are in denial and refuse to believe that they qualify as such. There are a lot more BAs out there than most realize!
Isn’t there a list of all BAs somewhere?
I’ve had many organizations ask me this question. I’ve also seen this question several times on LinkedIn group discussions. No, there is not one long list somewhere. Given the infinite possibilities for what organizations can do for CEs that would make them BAs, I doubt we will ever see one list exist that will be even close to being complete; new BAs are born every day.
Another big problem right now is that CEs really aren’t aware of what kind of BAs they are doing business with. I don’t believe there are any actually substantiated numbers available. Most of the CEs I’m working with haven’t even identified all their own BAs; often managers in various business units contract outside entities directly, without going to the central area. In the Cost and Benefits section of the Final Omnibus Rule the HHS indicated “(iii) costs to a portion of business associates to bring their subcontracts into compliance with business associate agreement requirements;” would impact 250,000 – 500,000 business associates, and the “(iv) costs to a portion of business associates to achieve full compliance with the Security Rule” would impact 200,000 – 400,000 business associates. However, the HHS has also indicated earlier in the Final Omnibus Rule that they had already expected that existing BAs would have been in compliance with their BA Agreements, so these numbers would generally cover all the additional new types of BAs, along with their subcontractors, that were not considered to be BAs before.
In another location within the Final Omnibus Rule the HHS indicates:
“This rule impacts covered health care providers, health insurance issuers, and third party administrators acting on behalf of health plans, which we estimate to total 698,238 entities. The rule also applies to approximately 1-2 million business associates and an unknown number of subcontractors.23“
Footnote 23 (at the end of the previous quote) indicates:
“23 Although we do not have data on the numbers of business associates, our enforcement experience leads us to believe that each covered entity has, on average, two to three business associates, for a total of 1-2 million business associates. This number likely overestimates the number of business associates, as some entities may be business associates to multiple covered entities. We do not have a basis for estimating the number of subcontractors that will be subject to the rule.“
I believe 1 – 2 million is definitely *not* an overestimate. There are an estimated (per the HHS, mentioned earlier) 700,000 CEs under HIPAA. Think about this:
- A medium sized hospital system I’m working with has 250+ BAs
- A larger hospital system I work with has 2500 BAs
- A medium-sized clinic I’m working with has 83 BAs
- A small health plan I’m working with has 24 BAs
- A small (3 person) surgery center has 9 BAs
Where in the heck are they getting such as low number…2 – 3 BAs per CE!? Even when considering that many of those BAs are doing work for multiple CEs, that still does not justify such a low estimated average per CE.
Let’s just say, to be VERY conservative, that these 700,000 covered entities (and many of them are small clinics and independent physicians) average 10 business associates (makes the math easy, also). This gives you 7,000,000 (7 MILLION) business associates. And really, from what I’ve seen, there will be a minority of the total number of CEs with as low as 10 BAs. As mentioned earlier, some-to-many of those BAs are offering services to multiple CEs. However, there are a lot of tiny/micro (1 – 5 people) businesses that are BAs to just one or, maybe a couple, of CEs.
It would be beneficial for the HHS, or some other qualified entity with adequate research resources, to do a study to more accurately identify how many total BAs there are, along with identifying all the different types of services they are providing.
Surely at least the number of cloud service providers that are BAs must be known?
Not that I can find (…and don’t call me Shirley). You would think that trying to identify a more clearly defined subset of total BAs would be an easier job. Many BAs are cloud service providers, but there is no firm number available that I’ve found to indicate how many BAs are cloud service providers. I have 120+clients for my Compliance Helper and BA Tracker businesses, and many of the BAs themselves, who I definitely would call cloud providers, don’t even consider themselves as cloud providers (until I speak with them) because they outsource their systems/operations to managed service providers (MSPs).
Of the approximately 100 BAs I am currently working with, I have 32 that I know of who offer cloud services. Others may be fooling themselves, or may be in denial. Some of the organizations told me that they think that using an MSP offloads the cloud concept to a different entity even though the BAs using the MSPs are actually providing the services to the CEs. Additionally, some BAs that CEs have had for a long time have actually moved their services to the cloud in recent years, so CEs may not even realize that they are now using a cloud-based BA, since it historically was not one.
Bottom line for organizations of all sizes…
All organizations, and not just those in the healthcare industry, need to have accurate knowledge about all the other businesses that are accessing, storing, or otherwise touching their business information; particularly personal information, sensitive information and other types of compliance-covered information. After all, they still ultimately bear responsibility and liability for any bad things that happen under the purview of those outsourced businesses.
Do you know all the businesses that are providing services for your organization that have access to the personal information (such as PHI) that your organization is ultimately responsible to safeguard? If you don’t, you may be blindsided someday as a result of the significant risk that exists for that information.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: audit, awareness, BAs, breach, business associates, CEs, compliance, covered entities, customer service, data protection, employees, employment, exception management, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, midmarket, monitoring, non-compliance, OCR, Omnibus Rule, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social network, SPI, subcontractors, surveillance, systems security, third parties, training, vendor management, vendors, walk through