Business Associates Expanding into the Healthcare Market
Business associates are organizations hired by covered entities to perform essential services on their behalf. This may include medical billing, accounting, legal services, email providers, etc. Business associates expanding into the healthcare market must be HIPAA compliant and sign a business associate agreement with their healthcare clients. The following discusses how to expand into the healthcare market.
Expanding into the Healthcare Market: HIPAA Compliance
The healthcare market is one of the most lucrative sectors of the U.S. economy. Not only is it the fastest growing industry, but it is also an essential service. Healthcare clients need business associates to run their business. However, before expanding into the healthcare market, business associates need to become HIPAA compliant.
The Health Insurance Portability and Accountability Act (HIPAA),set forth industry standards to ensure the privacy and security of protected health information (PHI).
To become HIPAA compliant, the following must be implemented:
- Self-audits. The Department of Health and Human Services (HHS) requires PHI to be secure through the implementation of administrative, physical, and technical safeguards. Self-audits assess the HIPAA safeguards business associates have in place to ensure that they are adequately securing PHI. HIPAA business associates (BAs) are required to complete five self-audits annually.
- Gap identification and remediation plans. A key component of ensuring HIPAA compliance is identifying gaps so that remediation plans can be created. Completing self-audits enables gap identification.
- Policies and procedures. Policies and procedures dictate the proper uses and disclosures of PHI by staff members.
- Employee training. Employees must be trained on HIPAA standards, as well as an organization’s internal policies and procedures annually. Employee training educates staff members on HIPAA requirements, the proper uses and disclosures of PHI, how to recognize a possible breach, who breaches should be reported to, and how social media is permitted to be used.
- Business associate management. Certain business associates may have vendors that may come in contact with PHI as part of their job function. This may include cloud service providers (i.e. AWS, Microsoft Azure, etc.) or email providers. Before it is permitted to use these services in conjunction with PHI, vendors must be vetted to ensure their safeguards with a vendor questionnaire. Additionally, there must be a signed business associate agreement (BAA) in place. A BAA is a legal document that mandates what safeguards must be in place. It also dictates that the business associate agrees to maintain their HIPAA compliance.
- Incident management. Organizations that experience a healthcare breach, whether it is internal or external, are required to report the incident.