How six key strategies can mitigate business associate risk
As advancements in health information technology allow increased access to Protected Health Information, covered entities and business associates face an uphill struggle to protect patient data and privacy.
Adding to the complexity are industry trends around the renewed focus on vendor relationships and compliance, along with the Office for Civil Rights’ (OCR) heightened scrutiny of BAs. In fact, OCR’s enforcement measures have targeted poor Business Associate Agreement management, emphasizing incidents in which the business associate (BA) was at fault.
More than ever before, covered entities (CEs) must focus on the risks and threats posed by their BA activities. The impact of BA breaches on patients of a CE can range from cases of identity theft to exposure of sensitive information regarding a condition, treatment or test that could lead to harm, embarrassment or discrimination. If fines are imposed, sanctions and actions will be held against the CE as well.
In addition to thorough due diligence when evaluating BAs, it is critical that CEs conduct ongoing risk analysis to mitigate risk associated with BAs. Here are some ideas and best practices that CEs can incorporate into the risk assessment process to ensure a consistent approach to BA management.
Outsourcing and the importance of governance
Much has been written recently about the factors leading more healthcare organizations to outsource technology and services, such as PHI disclosure management. Organizations should look to industry specialists, particularly privacy and security experts, when dealing with third parties to regulate staffing ratios, perform specific services and handle PHI appropriately. Though you’re looking to partner with experts, your compliance program must ensure that all of your BAs adhere to their compliance requirements. Follow the well-known adage, “Inspect what you expect.”
When it comes to access controls, understanding the importance of information governance is essential. What governance guidelines are in place? Are all CE and BA stakeholders aware of the policies and procedures? What is the depth of BA management? Governance must include an understanding of the services provided by the vendor and associating the appropriate risk level with each service. The potential risk level will determine the extent of the privacy and security controls.
BAs can enhance CE assessment from a risk perspective. For example, we employ a number of transparent controls that are discussed up front in our relationships with clients. These include policies for managing access controls, reporting incidents and privacy threats, and allowing access to end user training.
As the threat profile of BAs continues to draw attention, there’s a growing need to acknowledge shared challenges and opportunities among vendors and the healthcare organizations they serve. In terms of privacy and security concerns, we’re facing many of the same issues due to changes in legislation and increased threat of health data breach. Coming together as a community is an integral part of the solution.
BA assessments and compliance
Above all, privacy and security officers must guide their organizations to develop and maintain clear, consistent policies and procedures for managing BA relationships.
Here are six best practices to mitigate risk associated with BAs.
- Perform initial due diligence. Identify what services are being performed, where the services are being performed, and what contracts must be in place including BAAs, Master Service Agreements (MSAs), and Nondisclosure Agreements (NDAs), Data Use and Reciprocal Support Agreement (DURSA) and others that apply. The BAA should be based on the amount and type of information that will be accessible by the BA. For example, an ROI company has direct access to PHI while an IT company does not. OCR provides detailed guidance on what to include in a BAA.
- Establish a process for vetting prospective BAs. CEs must be vigilant about making sure a vendor is a valid BA. According to certain provisions of the HIPAA Privacy Rule, BAs are directly liable for compliance. Before entering into a contract with a prospective BA, know the rules and ask pertinent questions. How does the BA collect, store, process and transfer PHI? Is the BA fully aware of HIPAA compliance rules and regulations? Does the BA follow sound governance practices?
- Involve security and compliance teams early in the process. This step helps to avoid delayed services or rushed assessments. It is best to involve security and compliance teams in the onboarding of new partner services and technologies up front.
- Create a standard assessment. Establish a uniform measure of risk associated with the various services BAs can provide. Standardization of the assessment process allows for better risk analysis. A comprehensive assessment will cover all applicable administrative, physical and technical controls associated with the services provided.
- Confirm cyber insurance. Make sure your BAs have adequate cyber insurance protections in the event of a breach—based on the services being delivered and the associated risk.
- Perform annual reviews and assessments. Healthcare organizations should implement an annual BA review and reporting process—including any third-party certifications, accreditations or audits achieved by your BA. Confirm that your BAs are doing the right things according to established guidelines. And, as part of the auditing process, identify and officially terminate any BAAs with vendors that are no longer providing services.
As the focus and penalties have increased when BAs have been responsible for an incident or breach, the visibility and maintenance of auditing or evaluating vendors becomes more critical to compliance and breach prevention.
Building a business partnership
In some cases, a BA may be hesitant to sign a contract. However, a BAA that clearly defines each partner’s responsibilities and restrictions is critical to the business relationship. If a BA has questions or concerns, the CE should listen and respond with emphasis on meeting HIPAA requirements and the importance of breach prevention.
Likewise, the BA should be prepared to answer questions posed by the CE. The CE is responsible for ensuring the BAA is HIPAA compliant and that the BA is committed to upholding the contractual agreement. Ideally, the terms of the contract will cover rules and regulations required by HIPAA while allowing sufficient flexibility for the BA to meet expectations. Promoting mutual understanding through open communication is the basis for a strong business partnership.