Could Your Business Associates Cost You Millions?
In the past couple of weeks, the Department of Health and Human Services’ Office for Civil Rights (OCR) has shined a spotlight on the importance of relationships and written agreements between covered entities and business associates. Business associates are third party vendors that help covered entities with day to day operations. Sample business associates are:
- Third party billing or coding company
- Third party shredding company
- Accounting firm that gets access to protected health information
- Electronic health record vendor
- Third party secure messaging company
- Third party information technology organization
- Health Information Exchange
- E-prescribing gateway
Under HIPAA, business associates are defined as any third party vendor that performs functions or activities on behalf of the healthcare organization which includes the use or disclosure of protected health information. The activities and functions that are performed typically revolve around the creation, use, transmission, storage, and destruction of protected health information.
The spotlight is shining upon the relationships between the covered entity and business associates. The covered entity must ensure that a business associate agreement is established with proper assurances for the protection of health information with each business associate. In March 2016, OCR assessed a $1.55 million fine to a healthcare organization due to not having a business associate agreement in place with a third party Collections Company. The Collections Company had lost a laptop with PHI on it, but without the signed business associate agreement, the covered entity was found in non-compliance with HIPAA.
A week late, OCR assessed a $750,000 to a clinic for not establishing a business associate agreement with an organization they hired to destroy their x-ray films. In this specific scenario, the covered entity didn’t conduct due diligence to understand how and where the x-ray films were going to be destroyed. The x-rays ended up being a part of a scam to buy x-rays and extract the silver from the films. It is believed that the records were destroyed; however, there is no confirmation that was actually done.
Under the Omnibus Rule of 2013, working with your business associates in order to protect PHI from unauthorized use and disclosures to prevent data breaches is no longer an option, but a requirement. Business associate issues have made up about 20% of all data breaches over 500 people, and have impacted a large number of individuals with large data breaches. The HIPAA audits will continue to shine the focus on relationships between business associates and covered entities. Here are 8 tips to help your organization successfully manage business associate relationships.
- Update your Business Associate Agreement to ensure it meets all requirements of the Omnibus Rule of 2013
- Make sure your business associate agreement has the updated language from the 2013 HIPAA Omnibus Rule. If a business associate agreement was signed before September 23, 2013, you must get it signed again with updated language. HHS published a sample business associate agreement for use.
- Know who your business associates are
- It is essential that an organization evaluates who their business associates are and establishes business associate agreements with each of them. An effective process to evaluate potential business associates to an organization is evaluating accounts payable over the last 3-6 months to determine who the third party vendors are that the organization is paying. Then evaluate each of the third-party vendors to determine functions and activities being performed on behalf of the organization. If functions or activities interact with the creation, use, storage, transmission, or destruction of PHI, establish a business associate agreement.
- Have a strong internal process to manage business associates
- It is important to have a clear understanding of who is going to manage and own the process of getting business associates agreement in place with a new vendor. Have a clearly defined process and a person or group of people responsible for the process.
- Have a list of all business associates within your organization
- A simple spreadsheet with information on who the business associate is, their contact information, the contact person when the BAA was signed and any special arrangements is a great document to put into place.
- Obtain assurances that the business associate properly protects patient data
- Don’t be afraid to ask your business associates what safeguards and processes that they have in place to protect the information they are going to be accessed to perform activities and functions on your organization’s behalf. It is up to your organization to determine how in depth to get, but it is good practice to ask some basic questions to understand how protected health information is being safeguarded.
- Have a clear process for communication when a breach investigation is happening
- Business associates must conduct a breach investigation and report to the covered entity within 60 days from the date of discovery without unreasonable delay. It is important for the covered entity to make a clear, concise reporting process with the business associate. Additionally, if the covered entity wants to be involved in the investigation, the request should be communicated and agreed upon between the covered entity and business associate.
- Regularly re-sign your business associate agreements
- While it is not a requirement, regularly re-signing business associates agreements is a good practice to get into. One recommendation is to resign the business associate agreement anytime you re-sign a contract or change the scope of work for the business associate.
- Apply minimum necessary to your business associates
- Business associates should not get access to any and all information within your health records and billing systems. An analysis should be conducted by the covered entity to only provide business associates the information and access that they need in order to complete the activities and functions required.
As a covered entity, it is time to ensure that your organization is properly managing business associates. The liability resides with the covered entity for business associate agreements being established. The OCR has made the statement that even though data breaches are caused by business associates, the covered entity is still responsible for compliance. Don’t assume or trust that the business associate has adopted best practices and is compliant with HIPAA – ASK! By taking a few steps and actively working and partnering with your business associates, covered entities can more effectively manage and protect their patient’s protected health information.
Stay connected with news and updates!
Join our mailing list to receive the latest HIPAA news and updates from the Planet HIPAA team. Your information will never be shared.