Third party administrators (TPA) working in healthcare have an obligation to adhere to the standards set forth by the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, TPA that service healthcare clients are considered business associates (BAs). 

What are HIPAA TPA Requirements?

As a HIPAA TPA, before working with healthcare clients, you must first become HIPAA compliant. HIPAA requires anyone working with protected health information (PHI) to safeguard the sensitive information. PHI is any individually identifying health information classified into 18 HIPAA identifiers including patient names, Medical record number, health plan beneficiary number, and payment information, to name a few. 

The following are HIPAA safeguards that must be implemented to secure PHI:

• Administrative: are written policies and procedures that must be customized to apply to an organization’s business processes. All employees must be trained annually on an organization’s policies and procedures and HIPAA requirements. 
• Physical: refers to the security of an organization’s physical site with measures such as installing video cameras, alarms, and keypad locks that allow organizations to issue unique access codes for each employee.
• Technical: are cybersecurity measures that are put in place to protect PHI on electronic devices such as encryption or firewalls. All devices containing PHI should have protections to ensure that the integrity of PHI is maintained.

HIPAA Self-Audits and Gap Identification

To determine what safeguards are appropriate for your organization, you must first conduct five self-audits. These audits are required to be completed each year to account for any changes for business processes. 

• Security Risk Assessment: ensures that your organizations administrative, physical, and technical safeguards are in line with HIPAA requirements.
• HITECH Subtitle D Audit: ensures that an organization has proper documentation and protocols in relation to Breach Notification.
• Security Standards Audit: ensures that an organization’s security policies are in line with HIPAA requirements.
• Asset and Device Audit: an itemized inventory of devices that contain ePHI. The device and asset list includes which employee(s) use the device and what security measures are in place securing the device.
• Physical Site Audit: each physical location must be assessed to determine if there are measures protecting PHI, such as locks or alarm systems.

Completing self-audits allows your organization to determine if there are any gaps in your security practices so that you may address them with remediation efforts. 

Policies and Procedures

As a HIPAA TPA you must have written policies and procedures that are customized to apply directly to your organization’s business processes. When drafting your organization’s policies and procedures, it is imperative that you look to HIPAA Security, Privacy, and Breach Notification Rules to ensure that you are covering the full scope of the regulation. You must review your policies and procedures annually to account for any changes in business processes. 

Employee Training

HIPAA requires you to provide trackable training for all employees in your organization that may come into contact with PHI, whether directly or indirectly. Training must be completed annually and documented to prove that all employees attended training, and understood what they were trained on. 

Business Associate Management

Business associates (BAs) are vendors that you share PHI with. Before you are permitted to share PHI with BAs, you must first vet them by sending a vendor questionnaire. A vendor questionnaire is similar to a security risk assessment as it analyzes their security practices to ensure that they are adequately securing PHI. 

In addition, before you are permitted to share PHI with your BAs, you must have signed business associate agreements (BAAs). A BAA limits the liability for both parties as it states that both parties agree to be HIPAA compliant, and each party is responsible for their own compliance. However, if you fail to adequately vet your vendors, if they experience a HIPAA breach, you would both be held liable. 

Breach Notification and Incident Response

Healthcare breaches must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) as well as affected individuals. Depending on the size of the breach, reporting requirements differ.

• Meaningful breaches: are breaches affecting more than 500 individuals. Meaningful breaches must be reported within 60 days of discovery to HHS OCR, affected individuals, and the media.
• Minor breaches:  are breaches affecting less than 500 individuals. Minor breaches must be reported by the end of the calendar year to HHS OCR and affected individuals.

An organization that experiences a healthcare breach must develop corrective action plans to ensure that a similar breach does not occur in the future. If the breach occurs from an internal entity, the organization should retrain employees to ensure that they understand what is permitted and what is not. Healthcare breaches that occur due to an external entity should assess security measures to determine where security gaps are. Once gaps are determined, remediation efforts should be implemented to address identified gaps.

Need Assistance with HIPAA Compliance?

Compliancy Group can help! Our cloud-based compliance software, the Guard™, gives you the flexibility to work on your HIPAA compliance from anywhere that has an internet connection. Our software will guide you through our implementation process enabling you to Achieve, Illustrate, and Maintain™ HIPAA compliance.