Either manage your business associate security, or prepare for a data breach.
|By: Tod Ferran|
Business associate agreements~30% of patient records breached have involved a business associate from 2009-2014.
That is why the HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) for all relationships wherein the business associate creates, receives, maintains, or transmits electronic patient information.
Get a summary on business associate agreements in this short video.
Shared responsibility for security…and finesIn these new or revised agreements, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. However, it’s still the primary responsibility of the covered entity to ensure protected health information (PHI) safety happens.
The HHS makes it clear that covered entities must ‘obtain satisfactory assurance’ that each BA safeguards the patient data it receives or creates on behalf of the covered entity. That means covered entities must put forth a good faith effort to assist their business associates in achieving HIPAA compliance.
Whether compromised from within your system or the system of a business associate, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. And that’s just HHS penalties. That doesn’t include civil action, cost of mitigation, and loss of patient trust.
Now that HIPAA requirement stakes are raised, covered entities should do all they can to reduce risks by implementing a BA compliance program. Such a program should gauge your liability, help you locate BAs, discover what BAs do with your PHI, and help work towards compliance.
What’s your business associate plan?It’s crucial to your reputation (and patient data security) that your BAs’ security stands firm against an attack. Your business associate plan should evaluate all existing BA security practices in order to help you address the riskiest vendors first. Then, risk and compliance managers would do well to design, implement, and monitor a mass risk evaluation of business associate networks.
SEE ALSO: You Can’t Hide Behind a Business Associate Agreement
A plan that starts with the highest risk BAs and tracks related progress will help you prove your good faith efforts to address BA compliance if the HHS decides to audit your organization.
Prioritize your riskiest business associatesAccording to recent Privacy Rights Clearinghouse data, reported medical data breaches occur every 4 days on average, with more than 5,000 records per breach. How many breaches could be avoided through a contractual expectation of basic business associate agreement compliance?
The first step in your action plan should identify all parties (business associates and subcontractors) that must become HIPAA compliant. After pinpointing responsible individuals within each party, it’s time to begin eating the BA compliance elephant.
This can be accomplished through a simple survey that classifies business associates per their use of electronic PHI data. Determine how much liability each BA holds by asking a set of risk-evaluating questions such as:
- Is the BA internal system connected to the Internet? If yes, are those external IPs scanned for vulnerabilities?
- How does the BA obtain protected health care data from you and what data is received?
- What is the quantity of the data received?
- How is the data stored, protected, backed up and destroyed by the BA?
What’s your risk status?The HHS states that “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”
Ask your BAs for proof that they’ve completed a risk analysis. If not, recommend a trusted source to help.
SEE ALSO: How to Start a Risk Analysis
It’s also important your BAs are up to date with their risk management plans and working towards compliance.
Put your foot down with your business associate agreement securityMany large covered entities are concerned their business associates will financially take advantage of them if forced to sign new agreements. Not willing to rock the boat, these entities intentionally ignore HIPAA regulations. That’s what the HHS calls ‘willful neglect’, and each violation is punishable with fines of up to $1.5 million.
Simply writing a separate BA agreement or agreement addendum that amends or supersedes the previous agreement will solve this common problem. Updated business associate agreements should specify the BA’s shared responsibility for proper use of data, breaches, misuse, and/or noncompliance.
Remember that HIPAA regulations require you to take action if you know or believe one of your BAs are not HIPAA compliant. This means either assisting the BA with correcting the issues, or terminating the relationship.
Track your business associatesAs your business associates progress towards compliance, track their success to ensure an approved level of compliance. As the riskiest BAs reach compliance, begin to reach out toward medium-risk BAs to start the process with them. Don’t forget to reevaluate every BA’s plan and associated vulnerabilities each year.
Keeping business associates in touch with updated HIPAA requirements and data protection is a crucial part of monitoring BA compliance. Encourage continual education and training programs such as regular HIPAA security webinars or even an email newsletter. These friendly ways of reminding them about their obligation to PHI protection also keep you in the loop.
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.