12 criteria for assessing and mitigating BA management risk
As healthcare organizations face increased risk of breaches that pose privacy and security risks, it’s critical that they recognize the significant role played by their business associates (BAs). Rigorous due diligence is part of the risk analysis conducted by covered entities (CEs) to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information.
It’s crucial that healthcare organizations be detail-oriented and methodical in assessing their BAs, say Anthony Murray, vice president of information technology, and Rita Bowen, vice president of privacy, compliance and HIM policy for MRO, a company that provides products and services to ensure the secure, compliant and efficient exchange of PHI.
Murray and Bowen urge organizations to conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data and its breach prevention practices. In that process IT and security executives should create a list of assessment factors that correlate to the type of data the vendor can access. They believe it’s essential that the vendor meets the following 12 requirements.
Designate a privacy officer and security officer
Designating both a privacy and security officer indicates a BA’s commitment to the HIPAA privacy and security rules. A privacy officer is responsible for developing a HIPAA-compliant privacy program that ensures enforcement of privacy policies and procedures to safeguard PHI. The focus of a security officer is compliance with administrative, physical and technical safeguards of the security rule. Both officers develop and implement policies, procedures, training and risk assessments to ensure compliance and prevent breaches.
Documented privacy and security policies and procedures
BAs need strict rules that cover employees, volunteers, contractors and other members of the BA workforce. This administrative requirement enables a BA to enforce policies and take necessary action if an employee does not comply with HIPAA privacy and security rules. In addition to the stipulation that training be provided “as necessary and appropriate for members of the workforce to carry out their functions,” documentation of policies and procedures assures that thoughtful consideration has been given to the implementation of HIPAA rules within daily business practices.
Active privacy and security program that aligns with HIPAA requirements
If the BA has implemented an active privacy and security program, the covered entity gains assurance of HIPAA compliance based on alignment with, and understanding of, the regulations and any supplemental guidance that may have been released. This enables the CE to audit the BA’s program in an effective manner and provides documentation of the BA’s compliance program.
Ongoing security administration activities to face security threats
Continuous monitoring is a risk management approach that maintains an accurate picture of a BA’s security risk posture, provides visibility into assets and uses automated data feeds to quantify risk, ensure effective security controls and implement prioritized remedies. A dynamic process provides essential, near real-time security status that is vital in today’s environment of cyber intrusions, advanced persistent threats and insider threats. Ongoing activities demonstrate a strong IT security posture and assure rapid response to security threats.
Established systems for discovery of breaches and a formal response plan
A thorough incident response process protects both the BA and CE from a potential loss of revenue. Rapid detection and response by the BA reduces significant impact on data, customer trust, reputation and revenue. A BA should be able to demonstrate its response plan, including what defines an incident, roles and responsibilities of the response team, tools for managing an incident, steps to address the privacy and security involvement, and how the incident will be investigated and communicated to the CE.
Annual HIPAA training and education for the workforce
HIPAA training is mandatory, “as necessary and appropriate for members of the workforce to carry out their functions” based on the release of regulatory changes and/or guidance affecting the BA’s responsibilities. Role-based training is more effective than a one-size-fits-all approach. Sufficient time for incremental dissemination of information is required for trainees to absorb the relevance of HIPAA to their respective roles.
BA agreements with downstream BAs
It’s crucial that BAs include documentation of the right to terminate the downstream vendor for security or privacy violations.Once BAs and downstream BAs have been identified, the CE must ensure that these third parties handle any provided PHI in a secure manner. The HIPAA Omnibus Rule changed how BAs are expected to maintain PHI security. The Privacy Rule requires that a CE obtain satisfactory assurances, in writing, from its BAs stating that any BA will properly safeguard the PHI it receives or creates on behalf of the CE. Knowing the chain of custody of your data is important because BAs can be subject to consequences similar to those of CEs if PHI is compromised in a healthcare data incident.
Adequate physical security protections in place, in addition to systems and process protections
CEs should use established guidelines to implement adequate measures and protections. A good starting point is the Guide to Privacy and Security of Electronic Health Information published by The Office of the National Coordinator for Health Information Technology. Understanding EHRs, the HIPAA privacy and security rules, the vulnerability of patient information in your health information system, and what will be shared with a BA is imperative. The business associate agreement (BAA) must include appropriate protections as well.
Current disaster recovery plan available for assessment
A disaster recovery plan is a documented, structured strategy with instructions for responding to unplanned incidents. This step-by-step plan includes precautions required to minimize the effects of a disaster, enabling an organization to continue operations or quickly resume functions that are mission critical. The CE typically performs a risk analysis and a business impact analysis of processes and continuity needs. This establishes the recovery objectives that should be communicated to the BA to assure appropriate and timely response to incidents.
Report on any HIPAA breaches by the vendor or subcontractor
The BA should be asked about HIPAA breaches that they may have caused or been part of, along with subsequent remedial efforts. To minimize risk up front, the CE should ask this question of any BA under consideration to determine if there have been incidents and subsequent remedial efforts. This inquiry is a required part of the CE’s due diligence in evaluating a potential partnership with a BA.
Assessment of potential impact of the breach history on your organization’s reputation
This involves the evaluation of remedial work by the BA. As part of the CE’s due diligence, an assessment of potential impact should follow any HIPAA breach report provided by a BA. If evidence indicates that corrective measures have been taken to minimize future risks, the CE should consider building specific parameters and/or safeguards into the BAA.
Evidence of financial stability to protect against failures that could jeopardize data privacy and security
If the BA is not financially stable, the CE could end up covering all costs related to an incident caused by or in relationship with the BA. Evidence of financial stability, including cybersecurity insurance, supports the BA’s ability to assist the CE should there be an incident, as well as the ability to afford programs required to safeguard the CE’s data and perform compliance activities including SOC 2 reports and certifications such as HITRUST.