By Robert Lord
ICIT Fellow, Co-founder and CEO of Protenus
Running a healthcare organization at peak efficiency means many external partners are necessary to support different parts of the business: billing, staff augmentation, data processing, and a wide array of other functions. Many of these are business associates (BAs) that work with sensitive protected health information (PHI), making it important to ensure there are guidelines in place to reduce the risk associated with working with business associates.
A refresher on who is a business associate
In 2013, U.S. federal law mandated that business associates become directly responsible for the security and privacy of the patient data under their care. For the first time, they became subject to the same fines and penalties as healthcare organizations.
HIPAA defines business associates to be a third-party organization which creates, receives, or transmits PHI on behalf of a healthcare organization. The U.S. Department of Health and Human Services (HHS) website outlines some of the various services that a business associate might provide to a healthcare organization:
- data aggregation
A business associate agreement (BAA) is a contract between a HIPAA covered entity and one of its business associates. The contract specifies how the BA can use the PHI it is entrusted with, ensures that the BA will not use the information outside of those parameters, and requires prevention of inappropriate access to the patient data. Lastly, the BAA often establishes the timeframe in which a BA would have to alert a healthcare organization in the case of a breach. BAAs are an excellent place for business associates to start examining where they might fall on the privacy analytics paradigm due to the agreements outlining what obligations the BA has to the healthcare organization.
The Road to Success
Cybercriminals are increasingly targeting BAs because they often lack robust security, leaving them more vulnerable to sophisticated criminal attacks. 60% of business associates reported at least one data breach in the previous two years, not accounting for breaches that had yet to be discovered. With the average cost of a data breach for a BA reaching $1 million, everyone should take good look a BA’s privacy posture and determine where improvements can and should be made.
Ask BAs about how they mitigate risk
A great place to start this process is an understanding of how BAs mitigate risk. Ask questions like:
- What are the ways your team demonstrates compliance with HIPAA regulations, and how often are these demonstrations reviewed and/or updated?
- Has your product achieved Meaningful Use certification (if applicable)?
- Has your product achieved SOC II certification (if applicable)?
- Does your team have a designated person responsible for compliance with HIPAA regulations?
Dialog will help you pinpoint any compliance gaps in the BA’s security procedures or policies. You should also evaluate the BA’s data itself, examining what kinds of PHI the organization has, and how it uses and protects that information. It’s important to understand the methodology a business associate uses to continuously improve its security posture.
Include BAs in your Incident Response Plan (IRP)
In the event of a health data breach, having an Incident Response Plan (IRP) in place that takes into account your BAs is absolutely critical. The IRP should include, but not be limited to:
- Predetermined team members with defined roles and responsibilities, including how BAs should be informed and what if any steps must be taken to comply with your IRP
- List any external resources that must be consulted (e.g., forensic investigators)
- Relevant federal and state regulations explanations, particularly notification obligations
Recent events have suggested that it is becoming less a question of ‘if’ but rather ‘when’ a business associate will suffer a data breach. An IRP helps organizations prepare for the inevitable.
Have proper technical and physical safeguards
HIPAA also requires business associates to have technical and physical safeguards to ensure that patient data is properly secured. Ensure BAs protect electronic PHI (ePHI) through safeguards including, but not limited to:
- Controlling access to ePHI by assigning a unique username to each employee
- Creating automatic log-offs from workstations after a certain amount of inactivity
- Encrypting ePHI to protect it from unauthorized access
- Implementing an audit system that both records and examines user activity
Physical safeguards, required by HIPAA, are security measures that limit physical access to patient data. Making sure that facilities, systems, and data storage areas that contain PHI are locked is a simple way to prevent unauthorized employees from having physical access to that information. Likewise, creating policies that establish how and when laptops and other mobile devices may send and receive PHI is another method that BAs can use to protect patient information.
Training is essential
Finally, healthcare organizations need to make sure business associates are providing necessary HIPAA training. This training ensures employees have a proper understanding of what is expected of them when it comes to handling PHI. Training must not only inform employees what constitutes a HIPAA violation, but should also what penalties and fines that such a violation would incur. This knowledge is one of the best ways to prevent internal data breaches since it helps to create a business culture that actively values and protects patient privacy.
The best defense is a good offense
Business Associates are directly responsible for the PHI under their care. This means that the HHS Office of Civil Rights (OCR) can fine BAs for failing to comply with HIPAA regulations – up to $1.5 million per violation. The costs of proactive preparation are dwarfed by the fines and other costs that follow a PHI breach.
Following these four key concepts ensures business associate best practices, helps greatly reduce the costs related to a breach, and helps health systems and BAs move past compliance towards the ultimate goal of HIPAA: the protection of patients’ most sensitive and personal informationFour Ways to Reduce Risk from Healthcare Business Associates Click To Tweet