Question
Welcome to a Bite-Size HIPAA® Q&A article where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:
"We are having some difficulty getting one of our business associates, our IT company, to sign our business associate agreement (BAA). We love working with them, but they are unwilling to sign because of a requirement in the BAA that they carry $1M in cyber liability insurance. Is this reasonable? Any suggestions on what we should do?"
The HIPAA Law
Thank you for the question. Agreeing to all the terms in a BAA can be daunting to small businesses. Hopefully we can clear this up for everybody. Let's see what the HIPAA Law has to say about BAA requirements and cyber liability insurance specifically. Section 164.308(b) requires that before you share any PHI with a business associate, you have to obtain satisfactory assurances that the business associate will appropriately safeguard the protected health information and that these satisfactory assurances are in writing. Either in the form of a contract or other agreement between you and the business associate. This document is called a Business Associate Agreement or BAA.
Section 164.314(a) lists several other requirements for BAAs but it does not include a requirement for cyber liability insurance. So, as far as HIPAA goes, you do need to get your IT provider to sign a compliant BAA before allowing them to have any access to PHI, but the cyber liability provision is not required.
However, let's think about why that requirement is in your contract before we cut it. Most BAAs state, that in the event of a breach caused by the business associate, they (the BA) will be liable for paying all the damages including notifying patients. According to a 2022 industry report, data breaches typically cost businesses $175 per record when data was breached with a malicious attack. So, do you think that your IT provider could cough up $350,000 if the patient records of your practice are compromised? Let's dig deeper. How many other customers does your IT provider service? Do they have remote access to all those networks? If so, a single breach at their main office could compromise all those offices. We're talking about potentially millions in costs and damages. This is exactly what happened in 2019 at two different dental IT providers: Complete Technology Solutions in Colorado and PerCSoft in Wisconsin. They were both targets of a ransomware attack that used the IT provider's remote access software to infiltrate and attack over 500 dental practices. I don't know of any IT provider that could afford to handle a breach of that magnitude without cyber liability insurance.
Summary
So, to summarize - under HIPAA you must have a BAA in place before sharing any PHI with the business associate. So your IT provider does need to sign, but you do not need to include the cyber liability provision if you don't want to. That being said, if it's not included then you should make sure that your own insurance coverage will protect you in the case of a breach because the IT provider likely would not be able to pay for damages. Thanks again for the question.
Have a HIPAA Question?
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send them my way. My email address is todd(at)bitesizehipaa(dot)com. I can't promise I'll be able to get to every question submitted - but I'll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&A's.