Critical practices to improve business associate management
As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their business associates is critical.
Rigorous due diligence is part of the risk analysis conducted by covered entities (CEs) to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI).
In recent years, many provider organizations have incorporated the HITRUST and SOC 2 frameworks into their third-party assurance process. The focus on breach notification protocols is largely a result of the increased number of breaches involving third-party vendors.
SOC 2 is an attestation report that has long been regarded as the standard for service providers outside of healthcare. SOC 2 provides a third-party assessment aligned with HIPAA and HITRUST service trust principles—security, availability, processing integrity, confidentiality and privacy of the systems and controls in place. The report criteria provide a means to measure effectiveness of the controls against a standard. SOC 2 has evolved and continues to mature as a solid foundation for CEs to evaluate BA management programs.
Founded in 2007, HITRUST evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.
For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.
Together, HITRUST and SOC 2 provide the basis for an effective BA management program that promotes communication, confidence and common ground. This makes a significant difference in targeting root causes of perceived risk, evaluating controls and working as a team to close gaps and augment privacy and security protocols.
As the adoption of these frameworks and the demand for providing attestation reports become more prevalent, understanding the scope of both HITRUST and SOC 2 is essential. When doing due diligence, make sure the scope of services is relevant to the services that vendors are providing for your organization.
Require your BAs to complete an annual privacy and security assessment that includes similar reports provided to the BA by its subcontractors. A recent Ponemon survey reports that “87 percent of BAs have experienced electronic data security incidents in the last two years, in contrast to 65 percent of healthcare providers and payers. Nearly 60 percent of all [BA] participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments.” Due diligence is never done. It’s a journey.
Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.
As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification and SOC 2 attestation for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is in place.
Here are 12 criteria to mitigate BA management risk.
Conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data, and its breach prevention practices. Create a list of assessment factors that correlate to the type of data the vendor can access. Through documentation and firsthand observation, make sure the vendor meets the following requirements:
- Designated privacy and security officer.
- Documented privacy and security policies and procedures that cover employees, volunteers, contractors and other members of the BA workforce.
- Active privacy and security program that aligns with HIPAA requirements.
- Ongoing security administration activities to assess, monitor, prevent and mitigate security threats.
- Established systems for discovery of breaches and a formal response plan.
- Annual HIPAA training and education for its workforce.
- BA agreements with any downstream BAs—including documentation of the right to terminate the downstream vendor for security or privacy violations.
- Adequate physical security protections in place, in addition to systems and process protections.
- Current disaster recovery plan available for assessment.
- Report on any HIPAA breaches the vendor or subcontractor may have caused or been part of, along with subsequent remedial efforts.
- Assessment of potential impact of the breach history on your organization’s reputation—evaluation of remedial work.
- Evidence of financial stability to protect against failures that could jeopardize data privacy and security.