Since 2013 when Congress passed the Omnibus Rule, business associates (BAs) dealing with medical entities have been held to the same standards for protecting PHI (Protected Health Information) as covered entities (CEs), including their subcontractors. This means every vendor a medical practice or hospital contracts with access to patient data must be HIPAA compliant – no ifs, ands, or buts; it is the law!
Unfortunately for covered entities, if a data breach occurs with a business associate, the CE must comply with the breach notification rules including notifying the Department of Health & Human Services (HHS), those individuals affected, and local media outlets (if the breach effects more than 500 individuals).
Are Your Business Associates a Risk or an Asset?
Per an April 2017 issue of Medical Practice Compliance Alert, “One-third of the settlements inked in 2016 with OCR [the Office of Civil Rights of the U.S. Department of Health and Human Services] dealt with breaches involving business associates.” The article goes on to say, “Business associates who farm out work create more risks for your patients’ PHI.”
12 Best Practices to Reduce Your Risk from a Business Associate:
- Expertise Working with Medical Clients – Don’t risk your reputation and getting fined working with a business associate that does not have experience working with clients in the medical industry. Additionally, it would take a great deal of your time to educate a BA how to be HIPAA compliant, not to mention all the time looking behind them to make sure they did everything correctly.
- Experience Working with Similar Size Entities – Experience working with CEs isn’t enough, you need to find a BA with experience working with companies relatively the same size.
- Require You to Sign a BAA – You shouldn’t even have to ask a reputable business association to sign a BAA (Business Associate Agreement), they should require you to sign one to do business with them. [Learn more about BAAs.]
- Educate You – I look for business relationships where I can learn something and with HIPAA, I suggest hiring BAs that not only can do it, but want to educate you. Check their website for education regarding HIPAA whether it be blog posts (like this one), guides, webinars, presentations, or other content.
- Due Diligence – Check a business associate’s references and explicitly ask for similar-sized medical entities.
- Vigilant, Not Relaxed – When interviewing potential vendors, pay attention to how they respond to questions about HIPAA and data protection. They should be vigilant about every aspect of protecting PHI.
- Understands the Repercussions – If a BA doesn’t understand the risk both you and they have not being HIPAA complaint, then do not proceed. Otherwise, their naivety puts you at great risk.
- Sole Source Majority of Scope – Ask the company which aspects of the scope of work is done in-house by their W-2 employees and what is contracted out. Furthermore, ask about their telecommuting policy for employees and how PHI is shared with employees outside the office.
- Ask What is Subcontracted – Ask every BA you interview who are their subcontractors and if you hire them, ask to see their BAAs with their subcontractors because the risk flows up back to you.
- Stands Firm on Responsibility – Things happen, and you need a company that will take accountability for mistakes and will put processes in place to prevent them from happening again. Being HIPAA compliant doesn’t mean your PHI is impermeable, it means you’ve done your best to protect it, including hiring the right business associates.
- Regularly Review & Update – Things change, your company grows, hopefully your BA grows, HIPAA regulations change, and technology evolves, so you need to periodically review your policies and make necessary updates. Don’t take your current relationships for granted and think all of your vendors are HIPAA compliant just because they’re already working with you.
- Document – A vital aspect of HIPAA is documenting the security of your PHI, changes you plan to implement, and tracking changes made to further protect patients.
An ounce of prevention beats a pound of cure, including when selecting business associates. Unfortunately, many covered entities do not understand their responsibilities dealing with business associates and even more business associates don’t even realize they must be HIPAA compliant.
We’ve heard horror stories from clients that previous IT support companies said they didn’t need to be HIPAA compliant because they were an IT firm, not a medical practice. Another prospective client told us their IT firm refused to sign a BAA because they didn’t have access to the patient data, yet the IT firm had logins to their server remotely and physically, keys to their office, and the ability to create/delete user logins to the server. With that much access, they clearly needed a BAA.
Be vigilant in your efforts to protect your PHI, including protecting it from unqualified business associates.