In light of recent large-scale breaches in healthcare, it is imperative that covered entities (CEs) understand the importance of business associate security. Over the course of seven years, data breaches in healthcare have increased by 70%.
The recent breach of the American Medical Collection Agency (AMCA) affected 20 million patients. The AMCA breach was a result of hackers gaining access to the collection agency’s web payments page. The data exposed included protected health information (PHI) such as Social Security numbers, payment details, bank account information, names, addresses, and dates of birth. Although the Office for Civil Rights (OCR) holds business associates (BAs) liable under HIPAA law, in this instance, the covered entities (CEs) may also be held responsible.
Four Steps to Implement with Your Business Associates
The following are steps that you should take to ensure best practices and mitigate your liability.
Evaluate your business associate before you do business with them. Covered entities (CEs) must vet their vendors before conducting business with them. It is not enough to send out a business associate agreement. The Health Insurance Portability and Accountability Act (HIPAA) requires CEs to do their “technical due diligence” before the transmission of any PHI.
Technical due diligence means that the CE has questioned the BA to ensure that the BA has the proper safeguards and policies in place to protect the PHI that you will be transmitting to them. You can use a risk questionnaire to do so. If a vendor is unwilling to complete the risk questionnaire, than you should not be doing business with them. In the case of the AMCA breach, CEs will be held responsible if they did not do their technical due diligence.
Documentation is key to proving your HIPAA compliance. Even if you have followed all of the regulations set forth by HIPAA, if you have no documentation, you are not HIPAA compliant. In the event of a breach, a CE must be able to provide documentation demonstrating that they evaluated the BAs security practices, and found them sufficient to protecting PHI.
Contracts between a CE and BA limit liability for both parties. A business associate agreement (BAA) is required by law. The BAA must be customized to fit the relationship between the vendor and CE. A BAA establishes the security and privacy requirements for each party and lays out who is required to do what in the event of a breach.
Monitoring your business associates (BAs) security practices allows you to determine if you should continue to do business with the vendor in the future. A risk assessment needs to be completed annually to ensure that the vendor is still properly safeguarding PHI.
Need Help with Your Business Associate Management?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!