Practice Management Alert

Prioritize protecting patient information.

When it comes to HIPAA compliance, the carrot is knowing you’re doing a good job protecting patients’ protected health information (PHI) and privacy; the stick is an investigation or potential penalties from a federal agency.

Brush up on ways you can meet your obligations as a covered entity (CE) to protect your patients’ PHI — especially that which is handled by your business associates (BAs) and vendors.

Definition: A BA “is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of PHI that is not a part of the practice’s staff,” reminds Kent Moore, senior strategist for physician payment at the American Academy of Family Physicians.

Additionally, because these BAs have access to your patients’ medical records, they are subject to HIPAA.

Remember These Aspects of Working with BAs

“HIPAA requires covered entities and business associates to obtain ‘satisfactory assurances’ that their vendors that need access to protected health information will safeguard that information appropriately,” says attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida.

In the past, the HHS Office for Civil Rights (OCR) “has indicated that companies don’t necessarily need to do much more than obtain a written business associate agreement from the vendor that complies with HIPAA and conduct a risk analysis,” Hartsfield adds.

For example, consider the OCR guidance on cloud services providers (CSPs), Hartsfield suggests. “The HIPAA Rules do not expressly require that a CSP provide documentation of its security practices or otherwise allow a customer to audit its security practices,” according to OCR.

Important: As part of the HIPAA Security Rule, CEs and BAs are required to “conduct an ‘accurate and thorough’ analysis of the risks and vulnerabilities to electronic protected health information [ePHI],” Hartsfield reminds. “OCR has indicated that customers may ask vendors for ‘additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities,’” she says.

Top tip: Not too long ago, OCR updated its guidance on the direct liability of BAs, clarifying which “party is ultimately responsible for satisfaction of various responsibilities and patient rights,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.”

Use These Questions

Consider asking your BAs these questions to test their understanding of HIPAA compliance before you add them to the payroll:

• What HIPAA Rules’ safeguards do you employ to protect PHI/ePHI?
• Is it possible to review your HIPAA compliance record?
• Are you willing to enter into a business associate agreement (BAA)?
• What tools and services do you offer?
• Do you perform an annual audit and analyze your risks?
• What kind of vetting do your employees undergo?
• Do you train staff on HIPAA compliance — and update when regulations change?
• Do you implement mobile device management?
• Are you aware of the spike in cybersecurity risks to the healthcare industry?
• What are your policies, procedures, and protocols for a data breach?
• Do you have an incident response plan, including a chain of command, in place?

Resource: Review OCR guidance on BAs at www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.