New effort seeks to standardize business associates agreements

Cost is at the heart of the problem

Business associates agreements and the related security assessments have long been a thorn in the side of healthcare organizations and companies looking to sell new tech to them, explained Santosh Mohan, head of More Disruption Please Labs at EHR vendor AthenaHealth, based in Watertown, Mass.

"Here's the deal: Most startups are in a hurry, and most of healthcare is not," he said. "It creates a lot of issues. It's the Habitrail of death. Business associates agreements take too much time, and they cost too much for everybody. You need to safeguard patient information with the security assessments, but it's not a sexy problem to solve."

The group has put its initial focus on creating standard security agreements, because they are a smaller piece of the overall business associates agreement and because they vary wildly from hospital to hospital, said Paige Goodhew, director of customer success at healthcare infrastructure integrator and platform provider Redox, based in Madison, Wis., and a member of the Digital Health Collaborative.

Here's the deal: Most startups are in a hurry, and most of healthcare is not.

"We've connected with 350 different health systems and done a couple of hundred security assessments, and you never really know what you're getting in to," she said. "A lot of times, it's a quick turnaround. But, sometimes, it's a 350-line spreadsheet. And, sometimes, it's a long Q&A."

The Digital Health Collaborative, which began this effort earlier this year during the HIMSS Conference, has already received over 50 different security assessments to review, said member David Barnett, chairman and COO at business intelligence tool provider Corsis, based in Livingston, N.J. It's time-consuming work.

"A lot of the issues that we've seen with security assessments are the subjectivity of it all," he said. "There is inconsistency through everything, so it is hard to create a comparison."

But while streamlining the process seems to make sense on the surface, some group members urged a thoughtful and flexible approach.

The security assessment process "is subjective on purpose," said Adam Landman, M.D., CIO at Brigham and Women's Hospital in Boston. "It isn't a list process, and we don't want it to be, 'Do 20 questions and be compliant.' We want to look at each innovation and understand the risks. We want that flexibility, or we might have to say no to more products than not. That's part of what makes this challenging. But I think we have an opportunity to standardize some of it."

Whittling away at interoperability issues

Any attempt to bring interoperability into the healthcare field is a good thing, said Josko Silobrcic, M.D., an adjunct lecturer at Harvard University's T. H. Chan School of Public Health and a conference attendee.

"I think this is very worthwhile," he said. "A lot of problems in healthcare are the result of a lack of coordinated and collaborative communication, and this is one of the attempts to mitigate some of that. This is the 'let's just chip away at it' perspective. We have to do the best we can and keep moving."

To date, the Digital Health Collaborative has compiled 180 sample security assessment questions that are being shared with CIOs, privacy officers, CTOs and startup representatives, Barnett said. But the group would still like to see more sample security assessments and business associates agreements and is open to more members and ideas.

"Reusability is going to be key," he said. "We want to speed things to market, so companies aren't spending days on end filling things out."