Safeguarding protected health information is becoming more challenging every day—especially for companies operating in healthcare verticals who don’t always understand that compliance issues apply to them. Yet, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, companies operating in a variety of healthcare verticals are categorized collectively as “Business Associates” (BAs) and, as such, are required to act in accordance with the HIPPA regulations.
How Do You Define “Healthcare Companies”?
What kind of healthcare companies does this include? The short answer: More than you think. Healthcare companies and anyone operating in a healthcare vertical include anyone who has access to electronic patient health information (ePHI) and any organization that stores, transmits or receives ePHI.
Companies operating in the healthcare space who are subject to HIPAA rules can include (but are not limited to) organizations that provide the following services:
- Revenue cycle management
- Coding/Documentation services
- Collection and A/R recovery services
- EHR SW and solutions
- Patient records management services
- Document management services
- Medical SW/SAAS services
- Mobile healthcare services or applications
- Healthcare IT services
- Practice management services
- Contract management services
- Radiation document and image management services
- Health plan administration and services
These are but some of the many companies operating in the above healthcare verticals who could be considered a Business Associate under HIPAA regulations. Any company that provides services to organizations defined by HIPAA as “Covered Entities” may well find itself subject to compliance regulations with which they are not familiar.
What are “Covered Entities”?
HIPAA defines “Covered Entities” as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. The HIPAA Omnibus Final Rule goes into stipulations for Business Associates in greater detail. What BAs should take away from the Final Rule is that they may be held liable in the event of a HIPAA breach in many of the same ways that Covered Entities (CEs) may be.
The Cost of Noncompliance
The risks and costs of being found non-compliant can be steep. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to a settlement for potential HIPAA violations caused by the theft of a mobile device that contained the ePHI of 412 patients. According to the U.S. Department of Health and Human Services notification, the CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included monetary payment of $650,000 and a corrective action plan.
In a statement relative to this case, U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels said “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
The Importance of the Business Associate Agreement (BAA)
Healthcare companies, vendors, or providers who qualify as Business Associates are required to sign a HIPAA Business Associate Agreement (BAA). The document is an integral part of any contractual agreement with any provider of services, products, or applications, and must provide detailed information explaining how the BA will respond to a breach of any kind, including one caused by any subcontractors used by the BA. The BAA must also describe how a BA will respond to an audit by the Office for Civil Rights (OCR).
HIPAA rules holds Covered Entities responsible for their own data breaches, as well as many of the things over which their BAs have direct control. If a CE is audited, their BAs may be required to provide certain files or documents in a very short amount of time, as prescribed by HIPAA. The BAA acts almost like a service level agreement (SLA) that ensures these and other needs will be promptly met.
For companies of all types and all sizes, this is serious business—and the regulatory authorities are intensifying their focus on any business operating in the healthcare space as it relates to compliance. Fines are being assessed with increasing regularity and all businesses operating in the healthcare space should take note.
To illustrate the importance of a having a BAA in place, a Raleigh, N.C. orthopedic clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
HHS provides a template for business associate agreement language on its website to help covered entities and business associates execute agreements that address the business associate contractual requirements.
How Can You Manage HIPAA Compliance Issues?
Compliance with HIPAA regulations is a long-term process and at times can feel overwhelming. Yet, for companies operating in the healthcare industry, the risks associated with non-compliance are huge. Staying apprised of changes to HIPAA regulations can be a daunting task, but here are some actions you can take to make sure you know the latest.
- Know Where to Find Resources. The Office for Civil Rights (OCR) provides a wealth of online information about safeguarding ePHI including FAQs, guidance, and technical assistance materials. One easy way to stay updated is to sign up for the OCR announcement-only Privacy and Security Listservs.
- Ask Questions. It’s critical that you ensure any BAs with whom you work fully understand their responsibilities and obligations regarding compliance. Take the time to ask and answer questions and highlight the HIPAA compliance requirements for business associates. These questions can include:
- What is your risk analysis plan?
- Do you encrypt your devices?
- What are your disclosure policies?
- What are your IT practices?
- How do you handle server maintenance and backup information?
- Do you or your employees use personal devices for ePHI?
- What are your password policies?
- Describe company’s the physical security.
- Do you do background checks o your employees?
- What kind of training do you supply your employees?
- What are your disclosure policies?
- What is your breach mitigation plan?
- Explore HIPAA Compliant Hosting. HIPAA compliant hosting can alleviate some of the concerns that accompany being a business associate in a healthcare vertical. By working with a hosting provider that employs HIPAA compliance processes, healthcare-focused companies can construct a comprehensive plan that will, when combined with workplace safeguards and internal best practices, allow vendor partners to reach HIPAA compliance collaboratively. This collaboration of efforts is key, since HIPAA compliant hosting alone can’t eliminate risks that exist inside the workplace. However, it can help mitigate threats to ePHI and also afford easier access and management of a company’s IT infrastructure.
By taking action to evaluate your organization’s level of compliance with HIPAA rules—and that of any business associates with whom you work—and staying on top of HIPAA regulation changes and updates, you will ensure your company is maintaining the appropriate level of compliance and avoiding the risks and penalties of non-compliance.
Download this HIPAA eBook to learn how to stay compliant right now.
Additional Resources on This Topic:
Image credit: StockSnap.io