Since 2016, the challenges for managing business associates have become more complicated. In Phase 2 of the HIPAA Audit Program, the OCR will review the policies and procedures adopted and employed by covered entities and their business associates in order to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification rules.
The feds are apparently preparing to clamp down on the sometimes porous flow of patient data handled by contractors, whose security failures have been linked to the exposure of nearly 33 million individual medical records since 2009.
Protected health information (PHI) is patient information created by the provider and guarded by various forms of legislation to protect its privacy. PHI is defined broadly to encompass individually identifiable health information related to the health of an individual or to the provision of, or payment for, healthcare services.
Here are four steps to ensure your business associates are compliant:
- Re-examine all of your vendor relationships to determine if they qualify as business associates
The Omnibus Rule defines business associate as any individual (other than a member of the covered entity’s workforce) or organization that performs either of the following:
- Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an Organized Health Care Arrangement (OHCA) for a function or activity regulated under the HIPAA administrative simplification rules, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing
- Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI
If a covered entity or business associate is aware of a compliance risk that has not been addressed, that organization is liable for a fine. Download our whitepaper to review key factors >>
- Don’t rely on standard business associate agreement language
The complex legalese in a standard BAA is too general to protect your organization. Defining your partner’s responsibility to protect PHI is not enough. You must also specify how they’re expected to do it.
For example, consider the following statement from a standard BAA: “Business Associate shall implement and maintain appropriate safeguards to prevent the use or disclosure of PHI, other than as provided in this Addendum or as required by HIPAA or the Privacy Regulations.” You should be specific in your BA requirements regarding appropriate steps and safeguards.
The BAA should also specify how the partner will enforce compliance—through employee training, supervision, internal auditing, and other measures. Include specific details in the breach notification clause—such as how and under what circumstances the associate should contact you, and the time frame for doing so.
Download our whitepaper for physical, administrative and technical safeguards >>
- Require a security risk assessment
Performing a security risk assessment is a HIPAA requirement that is often overlooked. Half of the settlements announced by the OCR in the last 12 months and many of the $1 million-plus settlements reached during that period involve failure to perform an adequate risk assessment.
In OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule, the office advises that organizations use NIST publication 800-30, “Guide for Conducting Risk Assessments,” to conduct a HIPAA risk analysis. A risk assessment is required under the HIPAA Breach Notification Rule to determine whether unauthorized use or disclosure of PHI creates more than a low probability of compromise, requiring reporting to OCR.
- Develop a vendor risk management strategy
Vendor risk management is a process to assess and manage the security risks of any third-party supplier. Developing a vendor risk management strategy is critical. With federal regulatory requirements on privacy and security of PHI, covered entities are obligated to protect their own operations and information, along with those of contracted vendors with access to PHI.
Unfortunately, contracted vendors haven’t always demonstrated responsibility in the handling of PHI, resulting in a rise in healthcare breaches. And, healthcare organizations often sign contracts with outside vendors without investigating each vendor’s compliance.
Because vendor risk management has been poorly managed, federal investigations have become more targeted to include third-party vendors and business associates. Healthcare organizations must understand the vulnerabilities and controls in place for each contracted vendor because the privacy and security of PHI is the responsibility of the covered entity, regardless of where that information lives.
The biggest challenge for covered entities is the high volume of vendor tracking. Even a small hospital could have up to a hundred BAAs, which may not include business associates that employ their own subcontracted business associates that must be assessed and managed.
Summary
Internal compliance measures are not sufficient to protect a covered entity from compliance infractions involving PHI. Your business associates can put your organization at risk. Best practice is to establish a comprehensive vendor management process to ensure that any vendors responsible for handling PHI are also in full compliance.
For a deeper dive on this topic, download our BA compliance whitepaper >>