Are Your Vendors Putting Your Practice at Risk?
Manage your business associates to ensure HIPAA compliance.
Most healthcare providers rely on an array of vendors, subcontractors, and partners in their pursuit to treat and care for patients. How you manage those relationships, and how your business associates safeguard the patient information you send them, can affect not only patient privacy, but also the financial well-being of your company.
Avoid Costly Oversights
Not having a signed agreement with a business associate is just one of the oversights that can cost healthcare providers thousands of dollars. To cite one example, according to an April 2017 report from the Center for Children’s Digestive Health (CCDH), a small pediatric subspecialty practice that operates seven clinic locations in Illinois paid the U.S. Department of Health and Human Services (HHS) $31,000 as a result of an investigation of one of its business associates they employed to store records containing protected health information (PHI). Neither CCDH nor the vendor, FileFax, Inc., could produce a current, signed business associate agreement.
Since 2003, HHS’ Office for Civil Rights has received more than 167,000 HIPAA complaints, and has initiated over 850 compliance reviews. Knowing how to determine which of your vendors qualifies under HIPAA as a business associate, and how best to comply with the Privacy and Security Rules, may spare your company the time and expense of an investigation.
Who Qualifies as a Business Associate?
According to HHS, a business associate is a person or entity that has access to PHI when acting on behalf of, or providing services to, a covered entity (such as health plans and healthcare providers). A business associate also is a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate. Business associate activities are typically administrative in nature and include functions such as claims processing, quality assurance, and billing. Legal, actuarial, and accounting services are other examples of business associate services.
The HIPAA Privacy Rule allows covered entities to disclose PHI to these business associates if they obtain satisfactory assurances that the business associate:
- Will use the information only for the purposes for which it was engaged by the covered entity;
- Will safeguard the information from misuse; and
- Will help the covered entity comply with the Privacy Rule.
The required satisfactory assurances must be documented through a written contract with the business associate.
Business associate contracts also serve to clarify and limit the permissible uses and disclosures of PHI by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. Covered entities may disclose PHI to a business associate only to help the covered entity carry out its healthcare functions — not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.
5 Essential Steps to Compliance
Healthcare providers can be proactive in their approach to compliance by creating and implementing a similar action plan. The compliance process involves five steps:
1) Create an inventory.
Understand how your company currently identifies and engages business associates. Obtain and review all policies and procedures related to the identifying business associates and creating business associate agreements. Then, determine whether the policies and procedures do what they are supposed to — accurately identify business associates and establish business associate agreements consistent with the established performance criterion.
The inventory process breaks down to:
- Who do we pay?
- With whom do we exchange information?
- Where are the contracts?
- Who accesses our systems?
- Who did we miss?
2) Determine whether an entity is your business associate.
Figuring out who qualifies as a business associate is sometimes not as straightforward as you might think. Here are a few questions to consider when evaluating both business associates and vendors:
Do they act on my behalf? To be your business associate, the entity must be performing certain functions on behalf of your organization. Vendors that receive PHI from you to provide services to other covered entities (e.g., the auditor for an insurance company requesting records from the hospital) are not your business associates.
Do they create, maintain, transmit, or receive protected health information? Remember to include anyone who has access to your computer systems.
Do they perform a business associate function or service? Data hosting, software developers, and shredding services may be considered business associate functions, but a contracted healthcare provider receiving information to treat an individual is not acting as a business associate.
Are they a member of my workforce? People don’t have to be paid to be considered part of your workforce. They can be employees, volunteers, and trainees — anyone whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of the covered entity or business associate.
3) Establish the authority for disclosure.
If your analysis determines that an entity is your business associate, make sure a business associate agreement that satisfies HIPAA requirements is in place. If you determine that an entity is not your business associate, determine what other exception under HIPAA — such as treatment payment and healthcare operations or public health reporting — allow you to disclose PHI to that entity.
4) Perform a risk assessment.
Although execution of a business associate agreement will meet minimum requirements and avoid penalties like those imposed against CCDH, perform additional assessment to fully manage vendor risks. Consider also the amount of due diligence applied to each vendor. A variety of tools are available to assess this risk, including written questionnaires and on- or off-site audits. The types of tools implemented may vary based on your organization’s resources and the types or quantity of PHI to be provided to the vendor.
5) Create a response plan for breaches and violations.
Know in advance how you will respond if you discover a business associate is not adequately safeguarding sensitive information. This response should include analysis of whether the actions or inactions trigger breach notification obligations, as well as reasonable steps to cure the violation by the business associate or terminate the relationship. Your company can be liable if your employees knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the contract, and you failed to take reasonable steps to cure the breach or end the violation.
Healthicity’s Business Associate Manager software can help you identify business associates as well as manage their risk to your organization: www.healthicity.com/blog/a-whole-new-way-to-manage-business-associates.
Be Vigilant When It Comes to HIPAA
Protecting patients’ privacy and their sensitive health information requires constant vigilance for healthcare providers, especially as new applications of technology continually enter the healthcare setting.