How Do You Select the Right Business Associate?
By Kathy Nicholls, CMT, AHDI-F
February marked the one-year anniversary of the HITECH Act, which had a tremendous impact on HIPAA rules and regulations. With this one act, the healthcare industry saw dramatic changes in processes to protect the information of the patients they serve. This also led to the rules related to incentives, sanctions, and penalties regarding noncompliance applying to both covered entities and business associates (BAs).
In 2009, Health and Human Services (HHS) began publishing on their website a list of any breaches related to HIPAA that impacted more than 500 individuals. In one year’s time, these incidents have impacted almost 5 million individuals, with the largest breach affecting 1.2 million people. According to these postings, there are a total of 166 incidents, and 33 of those involved a BA. That equates to 20% of the breaches being due to BAs who didn’t do what they should have done.
If you were to visit a website seeking a new BA, it’s not uncommon to find all of them using the phrase “HIPAA compliant.” What does that really mean and, as a covered entity responsible for being sure you are selecting BAs who truly are protecting the information, what questions should you be asking? It is not enough to simply ask whether they are HIPAA compliant.
Therefore, it’s important to consider questions such as the following:
• What is your definition of HIPAA compliant? As with any business arrangement, it’s important that you use the same definitions. Be sure that the potential BA is using your definition of what compliance means. Just as the medical transcription industry has always struggled to define a line, now the healthcare industry needs to define HIPAA compliant.
• Where will the work be performed? Telecommuting is perhaps more common now than it has ever been. If work is being done from someone’s home, you need to understand how patient information is being protected. Even more important, is the work being done in the United States or in another country? While there is nothing in the HIPAA regulations that prevents sending patient information offshore, full disclosure is just good business sense. Knowing that is the only way you can make an informed decision in your selection process.
• What policies and procedures do you have in place, how are they monitored, and can I see a copy of your latest risk assessment? With the HITECH Act requiring a BA to perform many of the same tasks as a covered entity, any BA should be able to provide you with evidence that they have performed these tasks. If they haven’t, it may be a good indication they aren’t taking the legal requirements seriously, which could put you at greater risk for a breach. Risk assessment is an ongoing process, and this should be evident in the written documentation they provide to you.
• Have all your staff or subcontractors undergone training in privacy and security? This is the responsibility of the BA. For your records, you should document that it takes place. Without the proper training, you cannot be assured that those working with your information really understand the importance of compliance with privacy and security rules and laws.
• Have you had a breach in the past and, if so, how did you handle it? This question will show whether there are holes in the BA’s system. If so, you will want to know that the BA understands the process of identifying whether a breach has occurred as well as taking timely measures to correct it.
• What technical safeguards are in place to protect the data during transmission and when they are being stored? You want to know that the information has the proper safeguards not only when it is transmitted but also during storage. Many of the reported data breaches have occurred because information was stored on a portable device that was not encrypted. Some breaches occurred because a BA sent unencrypted e-mails.
• Consider indemnification clauses in your agreements. If your BA does not take the proper steps to protect the information, which results in a breach, the fines and penalties can be levied against both of you. With the first civil money penalty ever assessed in February being in excess of $4 million, an indemnification clause could help cover your costs related to any investigations and penalties.
In the end, it’s really about being sure you are doing due diligence. Written documentation is one way of showing you have carefully considered all the options for selecting a BA and ensuring that the information you are entrusting it with will be properly secure and protected. If you find the associate can’t answer questions appropriately, you’ve probably picked the wrong partner. The HHS website report of organizations that have breached patient information is not a list you want to find yourself on one day.
— Kathy Nicholls, CMT, AHDI-F, is a consultant who assists clients in HIPAA compliance issues. She is author of Stedman’s Guide to the HIPAA Privacy and Security Rules and operates the HIPAA4MT and the MT Tools Online websites.