Quick Compliance Check for Your HIPAA Business Associates  
By: Brian Hadley, CISSP, HCISPP and Cristine Vogel, MPH 

The HIPAA regulations hold your business associates and their subcontractors directly accountable and liable for the privacy and security of protected health information.  The U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced that Phase 2 of the HIPAA Audit Program is ready to begin and will conduct audits of approximately 200 covered entities (CEs) and their business associates (BAs).  The audit will review policies and procedures and assess compliance with security and privacy risk management, breach notification and notice of privacy requirements.
 
What should you do?
  • Make sure your HIPAA policies and procedures are updated and refresh employee training
  • Identify your business associates and make sure the business associate agreements comply with new HIPAA requirements
  • Contact your business associates and review their HIPAA compliant responsibilities 
As a CE, you need to make sure you have identified all your BAs, have updated agreements in place, and ensure that your BAs understand they, too, may be audited for HIPAA compliance.
Review these three steps to conduct your own quick HIPAA compliance check.
 
Covered entities, such as hospitals, physician practices and health plans, have contracted with more HIPAA business associates than ever before as accountable care and value-based payment models are expanding throughout the country.  Clinical integration and data sharing are raising new concerns about the privacy and security of protected health information (PHI) as new players are entering the healthcare arena and may not be fully aware of the responsibilities of being a HIPAA business associate.
 
According to the OCR's 2016 Phase 2 HIPAA Audit Program, audits will be conducted of approximately 200 CEs and their BAs to review policies and procedures and assess their compliance, specifically, with security and privacy risk management, breach notification and notice of privacy. 
 
The 2013 final HIPAA rule strengthened the privacy and security protections for individual's health information that is maintained in electronic health records and other formats; and it also clarified the responsibilities and liabilities of CEs and BAs.  Some of the key points discussed in this article include:
  • CEs must establish a business associate agreement (BAA) that requires the BA to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI) that they create, receive, maintain, or transmit  
  • BAs are directly liable for uses and disclosures of PHI that are not in accord with their BAA
  • BAs are directly liable for failing to enter into a BA agreement with subcontractors that create or receive PHI on the BA's behalf
Below we provide three steps to begin making sure your organization and your BAs are in compliance with HIPAA requirements.

Step 1.  Make sure your organization's HIPAA policies and procedures are updated and refresh employee training
 
        Step 1.

Make sure your organization's HIPAA policies and procedures are updated and refresh employee training
        Step 2. 

Identify your business associates and make sure the business associate agreements comply with new HIPAA requirements
        Step 3. 

Contact your business associates and review their responsibilities with special attention to HIPAA security


Step 1. Make sure your HIPAA policies and procedures are updated and refresh employee training 
 
In the event of an audit, auditors will be making sure HIPAA policies and procedures meet the newest privacy and security requirements.  Thoroughly review each section of your HIPAA policy and procedure binder and make sure it contains the additional requirements in the 2013 final HIPAA rule.  Once your HIPAA binder is updated, conduct training sessions to remind employees of their roles and responsibilities in protecting PHI.
  • Review your existing policies and procedures and compare them to the 2013 final HIPAA requirements and your current risk assessment to identify any gaps
  • Update existing and develop new policies and procedures based on your review
  • Provide a training refresh session for all staff; document that training was conducted and have each employees sign an attendance sheet (Remember that Security Training is an annual requirement!)
BUSINESS ASSOCIATES ARE DEFINED AS:
 
A person, partnership, corporation, professional association, or other entity who creates, receives, or transmits personal health information on behalf of a covered entity or who provides services to or for the covered entity involving the disclosure of personal health information.
 
The final rule provided common examples of BA functions which include claims processing, billing, data analysis, data processing, practice management, utilization review, quality assurance, benefit management, claims re-pricing, legal, actuarial, accounting, consulting, management, technical support, administrative, and accreditation.  Also included are such organizations as: Health Information Organizations, e-Prescribing Gateways, and Personal Health Record vendors.

 
Step 2.  Identify your business associates and make sure the business associate agreements comply with new HIPAA requirements 
 
Evaluate all your business partners with whom you have contracts and determine if PHI is exchanged.  If so, make sure there is an updated BAA in place and confirm that the agreement meets the requirements of the 2013 final HIPAA rule.
 
Business associates are directly liable for compliance with many HIPAA requirements. Under the final HIPAA Security Rule, CEs were to establish a BAA that requires BAs to implement administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of the ePHI that they create, receive, maintain, or transmit on behalf of the CE, including any other agent or subcontractor.  The BAA must also include that the BA report to the CE any breach of unsecured PHI; enter into BAAs with subcontractors; and comply with the HIPAA Privacy Rule to the extent it applies.
  • Assess all your contracts and determine if PHI is exchanged
  • Create a list of all business associates and the services they provide
  • Confirm that an executed contract is in place for each business associate and that each contract contains all required details according to the 2013 final rule
Step 3. Contact your business associates and review their HIPAA compliant responsibilities

Business associates must comply with specific provisions of the final Privacy Rule and Security Rule requirements the same as CEs.  BAs are now directly liable for any HIPAA violations.  Also, CEs are held responsible for violations by their BAs, and BAs are held responsible for violations by their subcontractors. 
 
Develop a dialogue between your organization and all of your BAs to make sure they are aware of their HIPAA obligations.  Remind your BAs that OCR is unrolling their audit program and that they can be held liable for certain HIPAA violations.  
  • Inform each BA about their HIPAA responsibilities and have them review and sign an updated agreement
  • Have each of your BAs list the name, address and functions of their "downstream" entities 
  • Make sure your BA has a written contract covering compliance with the HIPAA rules with those subcontractors who create, receive, maintain, or transmit PHI on behalf of your BA
  • Ask if the BA has experienced any breaches and if so, how the breach was handled
  • Request an electronic copy from each of your BAs of their HIPAA privacy, security and breach policies
  • Request an electronic copy of their recent Risk Analysis and Security Assessment
Regular monitoring is the best mechanism to ensure compliance, but that requires CEs and BAs to have updated agreements, and policies and procedures in place.  Additionally, employees should receive training when they are newly hired along with annual security training for your entire organization.  All training should be documented.  OCR will begin their 2016 audits of BAs with the intent to identify best practices and for OCR to further educate CEs and BAs of compliance weaknesses.  It is not clear how OCR will address blatant HIPAA violations during Phase 2 - impose penalties or only corrective action plans.  


REMEMBER, ENSURE THAT EVERY BUSINESS ASSOCIATE IS PROTECTING YOUR PATIENTS' INFORMATION AS SECURELY AS YOU DO!


*    *    *    *    *  

  VantagePoint HealthCare Advisors provides comprehensive services to help you achieve and maintain HIPAA compliance:
  • Risk Analysis
  • Implementation and Monitoring Guidance
  • Security Assessment
  • Self-Assessment Audit Tools
  • Privacy Officer, Security Officer and General Staff Training
  • Business Associate Compliance Audits
Click here to learn more, or call us at 203.288.6860

 

 


VantagePoint is an informational news article series produced by VantagePoint Healthcare Advisors.
With each edition we strive to bring vital information
to the healthcare industry on topics of policy, finance, compliance and business management.

 

Visit our website or call 203-288-6860 and learn more about how our team of industry experts can benefit your practice or organization.

 


© 2016 VantagePoint Healthcare Advisors. All Rights Reserved.