This is part 1 of a 3-part series on healthcare business associates risks.
Picture this: You’re a small consulting firm and you were hired to do an audit on coding for a healthcare insurance provider. Suddenly your client discovers that patient records have been lost or stolen, they’re investigating the incident, and they contact you to determine whether your firm was a cause of the data breach. The questions start, and they want immediate answers: what information you have in your possession, how it’s used, etc. Will you have answers ready? Worse yet, imagine that the finger is pointing at you, and you suddenly find that you may be facing compliance and regulatory fines, and even patient lawsuits. Sure, you do business with a few healthcare organizations, but you don’t provide medical treatment or even payment processing, and you’re only a small company. How can this be happening to you?
What is a Business Associate?
Welcome to the new world of healthcare privacy. Today, everyone involved in the healthcare industry, even remotely, needs to know their responsibilities regarding data privacy and security compliance because everyone is potentially held accountable by customers, regulators, the courts, and their business partners. Under the Final Rule of HIPAA (the Health Information Portability and Accountability Act), business associates of healthcare organizations, or third parties, are now held responsible for following privacy regulations and facing fines if they don’t.
The definition of a business associate (BA) has broadened. BAs are now being audited by the Department of Health and Human Services’ Office for Civil Rights (OCR), and a new report from the Ponemon Institute found that business associates’ average cost from a data breach is 1 million dollars. So no matter the size of your business or how far removed you are from the front lines of medical care, you can’t afford not to know your responsibilities and how to handle protected healthcare information (PHI).
Chances are, you are a business associate. In all likelihood, when you set up your business arrangement with your client, they will have asked you to sign a business associate agreement (BAA). This clarifies your role (under HIPAA regulations) relative to your client. But in rare cases, you may have a client agreement where they neglected to have you sign a BAA.
If you’re not sure, the short answer is that if you handle patient information that can in any way identify a specific person (what HIPAA calls PHI), then you’re a business associate. As a BA, you are subject to the regulatory requirements of HIPAA and to penalties if you don’t comply. The official definition in the HIPAA Final Rule (also called the Omnibus Rule) says that a BA is any person or organization that:
- Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an Organized Health Care Arrangement (OHCA) for a regulated function or activity. These include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing.
- Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of protected health information (PHI).
The Department of Health and Human Services (HHS) website says typical business associates of a healthcare organization might include:
- A third party administrator that assists a health plan with claims processing
- A CPA firm whose accounting services to a healthcare provider involve access to protected health information
- A consultant that performs utilization reviews for a hospital
- A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
- An independent medical transcriptionist that provides transcription services to a physician
- A pharmacy benefits manager that manages a health plan’s pharmacist network
But now the Omnibus Rule has expanded the definition of a BA to also include:
- Those who store or otherwise maintain PHI, such as an Internet service provider (ISP) or cloud service company
- Health Information Organizations (HIOs), e-prescribing gateways and others who provide data transmission services to a covered entity and require routine access to PHI
- Anyone who offers a personal health record to individuals on behalf of a covered entity. (HIPAA regulations now require that individuals have access to their health records.)
- Subcontractors of business associates if the business associate delegates to the subcontractor a function that involve the creation, receipt, maintenance, or transmission of PHI
What are Your Privacy and Security Compliance Responsibilities?
At this point, if your business works with any healthcare-related organization and is not one of the excluded types, you are probably a BA, and you need to know your responsibilities and risks.
A business associate agreement is a contract between the business associate and the HIPAA covered entity (CE) that the BA works with. The contract contains special language, required by the HIPAA statute. A BAA describes the permitted and required uses of PHI by the business associate, provides that the business associate will not use or disclose PHI except as specified in the contract, requires the business associate to use appropriate safeguards to prevent exposure or unauthorized use of the information.
As a BA, you have direct obligations to federal regulators to follow the Privacy, Security and Breach Notification Rules of the HITECH Act and the Omnibus rule. The importance of your BAA, therefore, is that it clarifies areas where you have to work with your client (the covered entity) under certain circumstances, most specifically, data breach notification. For example, if you discover an incident that you think is a data breach, you’re obligated to notify your client. Your BAA probably outlines the timeframe required for this notification, and if breach and patient notification are ultimately required, who would bear the costs if you as the BA caused the breach.
As of September 22, 2014, all CEs were required to have these contracts in place with all of their BAs, and that is one of the things that OCR will be checking as it does audits of randomly chosen healthcare organizations over the next few years. In fact, according to law firm McDonald Hopkins, the law now requires that subcontractors with whom BAs share PHI must also have agreements, so there could be a web of agreements between CEs and BAs, between BAs and their subcontractors, and sometimes between the subcontractors themselves.
How to Be a Successful BA and Meet HIPAA Compliance
HIPAA (and your BA agreements) will require your organization to put in place three kinds of safeguards for PHI:
- Administrative: This includes doing a risk analysis to understand what kinds of PHI you have, how you use it, where it could be vulnerable, and what the impact could be if it were lost, stolen, or exposed. Based on the risk analysis, you will develop policies and procedures to protect that PHI and to outline your response in case of a breach or suspected breach.
- Technical:These are safeguards built into your IT systems and procedures—even the ones you may have outsourced to another vendor such as an application services or network services provider. (Remember that the safeguards may include BA agreements between you and those providers.)
- Physical:These include measures such as limiting access to your facilities, systems, and data storage areas to authorized personnel, having security policies for use of laptops and mobile devices; and making sure that materials are recovered and access is taken away when someone leaves your organization.
If you are a small or mid-sized organization, as are many BAs, chances are you don’t have data privacy or security experts on staff, and starting on all these measures may be daunting. Fortunately, there is an obvious and cost-effective place to start: the risk analysis. You can bring in expert help for that step, and the results will show you where you are most vulnerable and where to concentrate your efforts and your spending. Guided by the risks, you can address the most critical areas first and then grow your security programs as necessity dictates and as time and budget allow.
PHI security is a lot to take on, especially in this age of cyber-attacks and daily breaches in the news. For the first time, this year’s Ponemon Institute report found that criminal attacks were the number one cause of data breaches in healthcare. Web-borne security attacks caused security incidents for 78 percent of healthcare organizations and 83 percent of BAs. These challenges really can be overwhelming, so it is important to remember that all of these regulations and contracts is to keep patients safe. So while there is work and expense to putting BA agreements and new security and privacy procedures in place, in the end, it will benefit your business, your business partners, and the patients you both serve.
Rick Kam, CIPP/US is president and co-founder, ID Experts.
[bctt tweet=”Business Associates 101: Are We a Business Associate? @rickkam” via=”no”]