Almost four years ago I wrote a post entitled, “FERPA, GLBA, and HIPAA in Vendor Contracts," the theme of which was that higher education needed vendors to come to the negotiating table with those privacy and security measures in place.
Major vendors in the higher education heard the clarion call. Beginning with Microsoft, vendors of email and an array of (higher) education apps have stepped up. Not only have they come to the table with provisions for health care information under a covered entity’s watch, so, too, did they come with the Business Associate’s Agreement (BAA).
The message today: review and sign those BAAs!
Review the BAA, because there is vendor variation among them. Not all BAAs are alike. Some fully meet legal requirements to protect the institution, and others not so much. It is critical to test the veracity of the statements and commitments made in BAAs with third-party audits, for example a successful ISO audit w/27018 controls as a decent proxy for HIPAA privacy and security rule requirements. Careful attention to the quality of these documents will lower institutional risk and raise the bar among vendors. These efforts will continue an on-going process of harmonizing standards in cloud computing contracts. Make sure your legal counsel has seen the BAA, been in contact with the leading attorneys who set the bar for appropriate or consult NACUA or ACE documents designed for this purpose.
If appropriate, sign them … even if at the moment you – CFO, CIO, institutional librarian, research administrator for sponsored/grant programs or institutional attorney -- have not been presented with a specific stakeholder request or general use case. This plea goes out to those attorneys who do not represent medical schools/hospitals or are a hybrid entity under HIPAA.
Here’s why: Proactive protect downstream HIPAA research data.
Information technology professionals and their partners in counsel’s office in the last decade or so have focused on getting some basic services in cloud formation contracts. I have written enough about processes that I will not repeat myself in this post.
Data is the crucial link between the contract formation process and the outsourced technical tools. Research data has been the under-recognized component. In my consulting work, I am increasingly acquainted with situations where researchers reach out to information technology professionals with requests to assure the privacy and security requirements for federal government grants on a one-off basis. One-offs are obviously not effective or efficient means for higher education do business. Government grants often include technically stringent and legally complicated privacy and security requirements. And at the end of the day, especially when it comes to HIPAA data (which has the greatest statutory consequences), the plaintiff (government agency or individual whose records were breached) will not care if the breach came from the administrative or the research side of the academic house. To them, a breach is a breach. There are no exceptions or special waivers to accommodate research in higher education.
Sponsored/grant programs, often under vice-presidents/chancellors for research, should work proactively with information technology to address privacy and security requirements. Often laid out in small print, these provisions can be a laundry list of laws and regulations that the granting agency require for compliance. The institution is the signatory, not the principal investigator. It is also potentially a deep pocket. Among the data sets protected in U.S. law, HIPAA data has the greatest statutory damages associated with it. Moreover, unlike FERPA, it allows for a private right of action. And do not forget that Information Security and Privacy Officers are personally liable under this statute. With their attention on what they will do with the data, principal investigators should not have to do a deep dive into reconciling fine print with institutional resources. Technical tools and coordinated business process should be a part of the “overhead” in the internal accounting of these grant contracts.
The next “winner” is the vendor that can come up with a full-service solution for (a) accepting government grants that includes health care data covered under HIPAA and state health care laws; (b) a one-service shop for researchers who require specific HIPAA/HITECH protocols in order to accept their grant money and data; and (c) a solution that incorporates electronic communications (email), storage, data retention, and archived research data (often housed in academic libraries, not the IT unit). In the meantime, it is higher education’s institutional responsibility to be sure that all the pieces of this business and technical process are buttoned up. Take that first step. Review and sign those BAAs!
Read more by
Opinions on Inside Higher Ed
Inside Higher Ed’s Blog U
What Others Are Reading