Anesthesia Coding Alert

Partnerships:

Be Sure Your BAs Are on Board with HIPAA – Before It’s Too Late

Remember they’re under the same HIPAA regulations as your practice.

One of your most critical considerations when working with business associates, or BAs, is being confident that they are protecting your patients’ private information. And that means getting assurance that all BAs and vendors you partner with understand the importance of HIPAA compliance – before you share protected health information (PHI) with them.

Refresher: A BA “is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of PHI that is not a part of the practice’s staff,” reminds Kent Moore, senior strategist for physician payment at the American Academy of Family Physicians.

Additionally, because these BAs have access to your patients’ medical records, they are subject to HIPAA regulations and scrutiny.

Remember This About BAs

“HIPAA requires covered entities and business associates to obtain ‘satisfactory assurances’ that their vendors that need access to protected health information will safeguard that information appropriately,” says attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida.

In the past, the HHS Office for Civil Rights (OCR) “has indicated that companies don’t necessarily need to do much more than obtain a written business associate agreement [BAA] from the vendor that complies with HIPAA and conduct a risk analysis,” Hartsfield adds.

For example, consider the OCR guidance on cloud services providers (CSPs), Hartsfield suggests. “The HIPAA rules do not expressly require that a CSP provide documentation of its security practices or otherwise allow a customer to audit its security practices,” according to OCR.

However: As part of the HIPAA Security Rule, CEs and BAs are required to “conduct an ‘accurate and thorough’ analysis of the risks and vulnerabilities to electronic protected health information (ePHI),” Hartsfield reminds. “OCR has indicated that customers may ask vendors for ‘additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities,’” she says.

Remember: OCR has updated its guidance on the direct liability of BAs, clarifying which “party is ultimately responsible for satisfaction of various responsibilities and patient rights,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.”

Consider asking your BAs these questions to test their understanding of HIPAA compliance before you add them to the payroll:

  • What HIPAA rules’ safeguards do you employ to protect PHI/ePHI?
  • Is it possible to review your HIPAA-compliance record?
  • Are you willing to enter into a BAA?
  • What tools and services do you offer?
  • Do you perform an annual audit and analyze your risks?
  • What kind of vetting do your employees undergo?
  • Do you train staff on HIPAA compliance — and update when regulations change?
  • Do you implement mobile device management?
  • Are you aware of the spike in cybersecurity risks to the healthcare industry?
  • What are your policies, procedures, and protocols for a data breach?
  • Do you have an incident response plan, including a chain of command, in place?

Resource: Review OCR guidance on BAs at www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.


Other Articles in this issue of

Anesthesia Coding Alert

View All