UnitedHealthcare of CA – Second Carrier Requiring Agents Sign Updated Business Associate Agreement
February 26, 2018
In Total HIPAA’s February 5, 2018 blog entitled BlueCross BlueShield of Tennessee (BCBS-T) Now Requires Agents Confirm They are HIPAA Compliant, we wrote on BCBS-T’s requirement for agents to sign a more stringent Business Associate Agreement (BAA). As part of this agreement, the CEO of an agency must sign an attestation that states they meet the security guidelines described in HIPAA, or provide a SOC 2 Type 2 report that has been updated within the last 12 months.
We now have received the following report that UnitedHealthcare of California is requiring similar attestations from their agents.
“In light of how the world has changed from a cyber and privacy risk perspective and increased data security issues within all industries; we are even more focused on protecting customer and member information. As our valued distribution partner, we would like to work with you to confirm that your data security controls and encryption processes minimize risk and effectively operate on behalf of our mutual customers.”
With the carriers increased liability, and exposure to recent breaches, we are expecting this trend to continue with other carriers.
When you sign the new BAA, you are “testifying” that you have a current Risk Assessment, you will be able to provide up-to-date copies of Privacy and Security Policies and Procedures, and your staff is trained on the HIPAA law and your agency’s policies and procedures. In addition, you are allowing the carrier to arbitrate any disagreements, and you will accept the terms of these settlements. If you do not have the proper controls in place, in regards to HIPAA’s Administrative, Privacy and Technical requirements, you could be in for a world of hurt.
There are many companies that have not had properly executed BAAs and been fined or sent to the courts.
- Raleigh Orthopaedic Clinic, P.A. of North Carolina: April 14, 2016 – $750,000
- Breach resulting from an impermissible disclosure of 17,300 individuals’ Protected Health Information (PHI) contained in x-ray films to a third party vendor after orally arranging (no properly signed BAA) for the vendor to harvest the silver from the films in exchange for transferring the x-rays into electronic media.
- Care New England Health System: September 23, 2016 – $400,000
- The Department of Health and Human Services Office for Civil Rights (HHS OCR) received notification from the Woman & Infants Hospital of Rhode Island (WIH), a covered entity member of Care New England Health System (CNEHS), regarding a breach of its unsecured PHI. WIH reported it had discovered unencrypted backup tapes containing PHI were missing from two of its facilities. CNEHS provides centralized corporate support, including technical support and information security for WIH’s information systems as its business associate. WIH provided HHS OCR with a BAA with CNEHS effective March 15, 2005, that was not updated until August 28, 2015, as a result of HHS OCR’s investigation.
- Center for Children’s Digestive Health: April 20, 2017 – $31,000
- The fine comes after a compliance review from HHS OCR was started following an initiation of an investigation of a business associate, FileFax, storing PHI for the Center for Children’s Digestive Health. While the center began disclosing PHI to Filefax in 2003, neither party could produce a signed BAA prior to October 12, 2015.
- CVS Pharmacy, Inc. et al v. Press America, Inc.: January 3, 2018 – $1,845,000
- CVS Pharmacy (CVS) sought reimbursement from its business associate, Press America, of $1.845 million following a 2012 PHI data breach resulting in unauthorized disclosure of 41 beneficiaries of IBM’s health plan. CVS “agreed to administer IBM’s managed care pharmacy program”. Press America agreed to printing and mailing services for CVS. The 2012 breach was caused by Press America mailing information incorrectly addressed containing beneficiaries’ PHI. CVS paid $1.845 million to IBM, and they are now seeking to recoup that money from Press America. A federal court is letting this claim move forward, so we will be keeping an eye out for that.
What do these stories suggest? You need to have a BAA in place that is current and you can back-up all the items listed in the agreement.
UnitedHealthcare states, “…we have developed a required online attestation to document your security controls, as it relates to sharing of data and information during the sales, implementation, and service of UnitedHealthcare customers. This request should only take about 5 minutes.” What UnitedHealthcare doesn’t state is that there is a lot of work you need to complete before you can sign the attestation document.
BCBS-T gives a more detailed description of what they want. The options are either a SOC 2 Type 2 report or a signed attestation by a CEO or other high-level manager.
Option 1: SOC 2 Report
A Service Organization Control 2 or SOC 2 report is an in-depth audit that is performed with the assistance of a CPA (and more appropriate for a company that conducts most of its business through credit card transactions). A SOC 2 will test and report on the design (Type 1) and operate (Type 2) effectiveness of your company’s controls in regards to security, availability, processing Integrity, confidentiality, and privacy. SOC 2 Type 1 will focus on creating the policies and procedures and establishing controls at the time of starting a SOC 2 report. You create the policies and procedures then monitor your company’s controls for 12 months. At the end of 12 months, SOC 2 Type 2 report will begin with assessing the effectiveness of the controls put in place for the year.1
Previously in our earlier blog, we stated the cost for a SOC 2 report will range from $20K to $70K, depending on the audit firm, and it needs to be updated annually. Since then, we have received additional information estimating that the cost for a SOC 2 report is around $140,000. A SOC 2 is cost-prohibitive for most agencies and is a more detailed examination than a small to mid-size agency needs.
Option 2: Signed Attestation
You can dig through the online documents and complete the requirements for HIPAA compliance in 40-70 hours of work, or you can find a vendor that can lead you through the compliance process.
Whether you do it yourself or hire an outside company, Option 2 will cost a lot less than a SOC 2. Once an agency has completed the requirements outlined in the HIPAA law (as defined under Part 160 of Title 45 of the Code of Federal Regulations), the agency’s leaders can comfortably sign the attestation.
The BCBS-T letter states, “If you don’t return the BAA and required documentation, it could jeopardize your business relationship with us.” BCBST means business!
Many agents have not received the letter or possibly ignored the communication. These agencies could be in for a big surprise later this year. The letter indicates that all agents must meet these guidelines by July 1, 2018.
What if the agency signs the attestation without implementing the compliance requirements?
This is a huge risk for an agency! If there is a breach, not only could the agency lose their contract with the carrier (which would be financially devastating to most agencies), but the agency could be fined by HHS OCR and in some states, sued by its clients using HIPAA as a standard of care.2
What should my agency do?
Very few agents will choose a SOC 2 report because of the cost. It takes two years to complete and must be updated yearly.
The most cost-effective approach is to implement a comprehensive HIPAA compliance program. The process requires you to complete a Risk Assessment (analysis), generate customized Privacy and Security Policies and Procedures and train your staff on the law and your agency’s requirements. Going this route will cost you a fraction of completing a SOC 2.
Want to learn more about HIPAA Prime™, and how Total HIPAA can help your agency sign the carrier attestation without breaking into a cold sweat? View this video about HIPAA Prime and then contact us:
Courts in Connecticut, North Carolina, Missouri, and West Virginia have ruled patients can sue their doctors directly using HIPAA as a standard of care. This means the patients aren’t actually suing for a HIPAA violation, but suing providers for medical malpractice, saying HIPAA Privacy and Security are reasonable expectations from your healthcare provider.