A reference for business associates using the SecurityMetrics HIPAA Guide at their organizations.SecurityMetrics 2018 Guide to HIPAA Compliance on November 30, 2017.
Business associates (BA) and small entities will benefit from this desk-side HIPAA reference, especially since they may have limited resources and are often self-taught.
Our HIPAA Guide was created to help business associates with some of the more challenging aspects of HIPAA compliance like the minimum necessary rule, secure data deletion, business associate agreements, and network segmentation.
If you’re a BA and in charge of HIPAA, you can use the following page numbers and HIPAA Guide highlights to help guide you through your more common HIPAA concerns and challenges.
Common business associate concerns (PP. 11-12)
Reminder: a BA is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., IT provider). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations. Some possible business associate functions include:
- Claims processing or administration
- Data analysis, processing, or administration
- Utilization review
- Quality assurance
- Benefit management
- Practice management
- Do Business Associates have to be HIPAA compliant?
- Are Business Associates responsible for patient data?
SEE ALSO: HIPAA FAQS
Minimum necessary requirement (P. 100-102)
A large portion of the Privacy Rule is based on the minimum necessary requirement, which states that only those who need to see or access PHI to do their jobs should get to see or access it.
BAs often think their covered entity holds the sole responsibility of deciding how much data they receive. This is simply not the case. Both business associates and covered entities have a minimum necessary responsibility under HIPAA.
BAs should only accept and use the minimum amount of data necessary. Even they can face fines from HHS if they accept or demand more data than is necessary from covered entities. As a business associate, if you receive too much data from a covered entity, you are responsible for letting the covered entity know.
Check out page 102 of the HIPAA guide to learn about instances when the minimum necessary rule does not apply.
Permanently destroy or delete PHI (PP. 21, 26-27, 105)
The first step to managing/deleting old data is deciding how long you need to keep it. Many states have requirements about the amount of time that you must keep patient data. This can apply to uses and disclosures and even the patient record. Entities commonly maintain data for a minimum of a decade. If a patient has passed away, there will be additional requirements for data retention that must also be considered.
The second step is to understand how to permanently destroy or delete data. Most people understand that physical sensitive data should be destroyed permanently by shredding, burning, or pulping.
But when it comes to electronic data, merely deleting or moving sensitive information to the Trash or Recycle Bin on your computer will not permanently remove it. Your computer won’t be able to find that file, but it still exists.
The HHS has determined that for electronic PHI, overriding or clearing (i.e., using software or hardware products to overwrite media with non-sensitive data) is the best way to securely delete sensitive patient data on systems still in use.
When thinking about how to permanently delete files from your network, don’t forget about any archived data, including:
- Time Machine backups
- Cloud backups
- External hard drive backups
- CD or DVD backups
- Email backups
- FTP backups
- Server backups
- Mirror backups
- Offsite backups
But if you don’t plan to use the media again, it’s highly recommended to physically destroy it. Some third-party organizations have industrial-sized shredders to dispose of larger hardware.
Business associate agreements (PP. 110-113)
The HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) when a BA creates, receives, maintains, and/or transmits electronic patient data.
In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:
- A minimum necessary policy
- Business associate’s permitted use of PHI
- Prohibited use of PHI
- Covered entity’s responsibility
- Appropriate safeguards to protect PHI
- Breach reporting guidelines
- Contract termination provisions
SEE ALSO: Business Associate Agreements 101
Network segmentation (PP. 12, 46-47)
Business associates often set up large flat networks, where everything inside the network can connect to everything else. You may have one firewall at the edge of your network, but that’s it. Generally, the more places that have access to patient information, the higher the chances for a HIPAA violation or data breach.
Network segmentation can be achieved through use of specific firewalls and the sectioning off of systems that contain or receive PHI from the rest of the network.
Network segmentation is especially useful for you if you need to protect PHI. If done properly, it can greatly reduce time, energy, money, and potential liability related to HIPAA.
SEE ALSO: PIIscan Searches Systems for Unencrypted Data
HIPAA applies to business associatesEven though as a business associate, you may not deal with patients and their data in the same exact way as covered entities, you are still required to comply with HIPAA rules and regulations.
The SecurityMetrics 2018 HIPAA Guide provides plenty of guidance specifically for business associates to help you keep data safe and move towards HIPAA compliance. Our ultimate goal is to empower individuals at organizations to protect patient data. We want to provide resources that educate employees at all levels about HIPAA rules and regulations.
Have questions about data security, HIPAA compliance, or interested in a HIPAA audit? Contact us.