For your patients’ and your protection, you need a complete and accurate accounting of all businesses that are accessing, storing, or handling your patient health information (PHI) and compliance-related data.
If you don’t have it, you may suffer an unpleasant and unwanted surprise if you ever face a compliance issue or data breach — because you are ultimately responsible and liable for anything that happens to your patient’s PHI, including any negative consequences as a result of business associates’ actions.
First, do you know all the entities working for you that are defined as “business associates” (BAs) under the expanded Final HIPAA Omnibus Rule definition and guidance provided by the Department of Health and Human Services (HHS)? BAs are now directly responsible for compliance with the HIPAA security and privacy rule requirements, but many organizations that really are BAs deny — or refuse to believe — that they qualify as such.
Many medium-sized hospitals have 200 or more BAs; medium-sized clinics usually have at least 50; and medium-sized providers typically have 15 to 20. How many BAs do you have? Unfortunately, there is no master list of all BAs, so it’s up to you to determine if each organization with which you have a relationship is a business associate as defined in the rules.
Identifying Your Business Associates
You might be surprised about who’s considered a BA. Here are some common examples.
- IT Support Companies: Most organizations need assistance maintaining firewalls, encryption management, and network scanning. Do they have admin access to most of your data?
- Staff Supplementation: From time to time, you probably use medical specialty or administrative staff agencies to meet staffing shortages, for vacation coverage, or for specific medical diagnostic or procedure requirements. Do you know if all of their staff are trained on HIPAA requirements? And, does each organization comply with all HIPAA requirements?
- Collection Services: Many of these services may not specialize in medical data but make it a segment of their business. Do they know and understand the HIPAA requirements? Do they offer specific instructions for secure data exchange and use with you and all their partners?
- Billing Services: These companies routinely handle high volumes of data, documents, and conversations. Is their staff trained on the HIPAA disclosure rules? Do they utilize their own BAs and subcontractors to assist in processing and follow-up services?
- Transcription Services: Do you know where your data is stored and where it is accessed? Many services use subcontractors that may or may not be HIPAA complaint, may or may not operate in a foreign country, and may or may not have a BA agreement with the transcription firm you’re using.
What You Need to Do
Know who your BAs are and whether they are HIPAA compliant. What plans and procedures do they have in place for protecting PHI? Have they trained their staff on HIPAA requirements and security and privacy awareness? Do you know what risks BAs may be creating for you
Evaluate all the companies you do business with to determine which ones are a BA. You need a Business Associate Agreement (BAA) with each and every BA. Note that a contract to do business is not the same as a BAA as defined by HIPAA.
If a BA refuses to sign a BAA, the requirement identify specific remedies for you to follow:
- Take reasonable steps to resolve the compliance problem with the BA
- If the BA fails to comply, you must terminate the relationship on HIPAA compliance grounds
- Report the non-compliant BA to HHS
In summary, you need to have a complete and accurate accounting of all businesses that are accessing, storing, or touching your PHI and compliance-related information — for the protection of both you and your patients. Without this, you will face some nasty surprises in the event of a compliance issue or data breach. The buck stops with you on this issue. You are ultimately responsible and liable for your patients’ PHI.