General Surgery Coding Alert

As a surgeon, you’re a covered entity (CE) who is responsible for keeping patient data safe under the Health Insurance Portability and Accountability Act (HIPAA). But once you provide patient-data access to your business associates (BAs), you have to be sure they comply with HIPAA too.

Know: A BA “is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of protected health information (PHI) that is not a part of the practice’s staff,” says Kent Moore, senior strategist for physician payment at the American Academy of Family Physicians.

Go Beyond ‘Satisfactory Assurance’

When your BAs or any vendors they engage on your behalf need access to patient PHI, HIPAA requires that you obtain “satisfactory assurances” that they will safeguard PHI appropriately.

In the past, the Health and Human Services (HHS) Office for Civil Rights (OCR) has indicated that companies don’t necessarily need to do much more than obtain a written business associate agreement that complies with HIPAA and conduct a risk analysis, according to attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida.

For example, consider the OCR guidance on cloud services providers (CSPs), Hartsfield suggests. “The HIPAA rules do not expressly require that a CSP provide documentation of its security practices or otherwise allow a customer to audit its security practices,” according to OCR.

Caution: As part of the HIPAA Security Rule, CEs and BAs are required to “conduct an ‘accurate and thorough’ analysis of the risks and vulnerabilities to electronic protected health information (ePHI),” Hartsfield reminds. “OCR has indicated that customers may ask vendors for ‘additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities,’” she says.

Remember: Not too long ago, OCR updated its guidance on the direct liability of BAs, clarifying which “party is ultimately responsible for satisfaction of various responsibilities and patient rights,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.”

Do this: You can protect yourself by carefully interviewing potential BAs. Consider asking these questions to test a potential BA’s understanding of HIPAA compliance — before you add them to the payroll:

• What HIPAA Rules’ safeguards do you employ to protect PHI/ePHI?
• Is it possible to review your HIPAA compliance record?
• Are you willing to enter into a business associate agreement (BAA)?
• What tools and services do you offer?
• Do you perform an annual audit and analyze your risks?
• What kind of vetting do your employees undergo?
• Do you train staff on HIPAA compliance — and update when regulations change?
• Do you implement mobile device management?
• Are you aware of the spike in cybersecurity risks to the healthcare industry?
• What are your policies, procedures, and protocols for a data breach?
• Do you have an incident response plan, including a chain of command, in place for employees to follow?

Resource: Review OCR guidance on BAs at www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.