Healthcare is predicted to be the most targeted industry for cyberattacks in 2017, according to the 2017 Data Breach Industry Forecast from Experian. “Electronic health records remain likely to be a top target for hackers,” Experian found. To further heighten & complicate these risks, providers’ responsibilities for protecting personal health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) extend to certain vendors, referred to as “business associates (BAs)” in the HIPAA regulations. Healthcare, behavioral health and other organizations that maintain and process PHI need to have sound controls, policies and procedures to protect patients’ PHI, and these controls, policies and procedures must also extend to all BAs who have access to PHI.
Who is a HIPAA Business Associate?
A business associate is any organization or person working in association with, or providing services to a covered entity (HIPAA-covered entities include health plans, clearinghouses, and health care providers in certain situations). Some of the most common BAs with access to PHI include: lawyers, accountants, outsourced billing providers, consultants, data/cloud storage vendors, contracted healthcare/ancillary service providers, translators/interpreters, IT vendors, and claims/coding consultants.
When it comes to PHI and HIPAA, preventative controls, policies and procedures must also extend to BAs
AAFCPAs advises covered entities to implement a robust HIPAA/PHI training and education program for all members of the workforce. We also advise providers to develop and institutionalize a Risk Management Program, including an ongoing risk assessment process. The risk management program & assessment for HIPAA covered entities should incorporate BAs and the extension of risk they pose for a healthcare organization.
One of the key themes within HIPAA is to limit the collection and transmission of PHI to the minimum necessary. Providers should implement policies and controls that anonymizes key PHI to limit what is available to BAs. This can be done through removing personal identifiers from reports provided to BAs, or by building parameters into electronic medical record (EMR) or other systems to limit identifiers or make them anonymous.
Protect PHI and Mitigate Risks with Business Associate Agreements (BAAs)
In many cases, PHI breaches occur in the transmission of data between healthcare organizations and their BAs. These transmissions typically occur at the beginning of an engagement with a BA, and at the conclusion of an engagement or project. AAFCPAs recommends that clients have a clear understanding of your BAs’ controls, processes and procedures and the risks they pose for the covered entity. Providers must have compensating controls to ensure vendors and BAs are properly securing and transmitting PHI.
Business associate agreements (BAAs) can be a critical tool for understanding & documenting these controls, processes and procedures, and ultimately in protecting PHI. BAAs are a contract between a HIPAA-covered entity and a HIPAA business associate, and they stipulate and document how the BA will use, disclose and reproduce PHI, safeguard PHI, and notify the covered entities in the event a breach of PHI occurs.
AAFCPAs has highlighted for your consideration some best practice recommendations for mitigating the risk assumed by organizations through their BAs.
- AAFCPAs reminds clients that it is critical that transmissions of all PHI are done with security in mind and by ensuring healthcare providers and BAs have email encryption and secure data transmission protocols in place.
- It is critical that provider organizations obtain signed BAAs before any PHI is transmitted to a BA.
- Healthcare organizations should ensure that BAAs are updated annually, or periodically depending on changes with BAs, or stipulations within BAAs. BAAs may be in effect for a specific term, or cover the organization and the BA in perpetuity, depending on the nature of the services provided.
- Consider customizing BAAs depending on the consultant / service provider relationship. Customization may specifically define terms, such as: the duration of the project / engagement being performed, the level of access to PHI given to the BA, and approved uses of the PHI.
- Often BAs utilize subcontractors to perform services. BAs must incorporate subcontractors into BAAs when applicable, and the covered entity should understand the BA’s controls over transmission of PHI to subcontractors.
- Make the BAA a part of your routine vendor or service provider on-boarding process, and new vendor approval process, including potentially performing background checks as new BA relationships arise.
- Healthcare providers should perform a periodic inventory of vendors to determine whether they have access to, or possession of PHI and conclude whether a BAA has been obtained or needs updating.
- A significant risk with PHI is that BAs may retain PHI in unsecure databases or servers well after the conclusion of an engagement or project, and after the BAA effective period has lapsed. Healthcare organizations should stipulate best practices within their BAAs to ensure BAs are properly securing PHI. Some of these best practices include secure storage of PHI, and destruction of PHI at the conclusion of any project or engagement by a BA. Consider getting confirmation from BAs when PHI is destroyed (and stipulating that requirement in the BAA).
- AAFCPAs recommends that healthcare entities assign a responsible party to own and manage the BAA process. Common BAA champions for healthcare organizations include the chief compliance officer, CFO, a member of the business office, or an IT team member. This person should be responsible for keeping an inventory of BAAs, including their effective dates, and understanding high-level controls that BAs have in place over PHI.
AAFCPAs reminds clients that the BAA document in and of itself does not eliminate your risk. These agreements serve as a guide in understanding risks and control activities, but formal risk assessments provide management with assurance that key business processes have control activities in place, and that they are achieving the organization’s objectives to protect PHI.
The ramifications of a PHI breach, including damage to a provider’s reputation as well as criminal and civil fines, are too significant to not have key preventative measures in place to mitigate the risks of breach or violation.
AAFCPAs advises clients in developing and institutionalizing risk management programs, including establishing ongoing risk assessment processes. In addition, our Business and IT Advisory practice helps clients better secure patient data by providing HIPAA Security Rule assessments, subservice provider controls assessments, IT security assessments, and data de-identification /Safe Harbor Rule.