4 Steps to Ensure HIPAA Compliance by Your Business Associates

The OCR is improving the safety of protected health information handled by contractors. Here’s how you help your business associates retain HIPAA compliance.

If you involve second-or third-party vendors with any aspect of Protected Health Information (PHI), your facility could be liable for their HIPAA compliance infractions. Since 2016, the challenges for business associates have become more complicated. The Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its second phase of HIPAA audits for covered entities and their business associates in 2016. In Phase 2 of the HIPAA Audit Program, the OCR will review the policies and procedures adopted and employed by covered entities and their business associates in order to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification rules.

The OCR are attempting to improve the safety of patient data handled by contractors. Their security failures have been responsible for the exposure of nearly 33 million individuals’ medical records since 2009. The OCR 2021 enforcement actions started with a bang, with five Right of Access Initiative settlements in the first three months of the year. Under the Right of Access Initiative, OCR has aimed to support individuals’ right to timely access of their Protected Health Information (“PHI”) and has targeted covered entities’ non‑compliance with fulfilling HIPAA right of access requirements.

PHI is patient information created by the provider and has a variety of legislation guarding its privacy. PHI is defined broadly to encompass individually identifiable health information related to the health of an individual or to the provision of, or payment for, healthcare services.

Here are four steps you can take to ensure HIPAA compliance for all your business associates.

1:  Re-examine your vendor relationships to determine if they qualify as business associates

The Omnibus Rule defines business associate as any individual (other than a member of the covered entity’s workforce) or organization that performs either of the following:

  • Creates, receives, maintains, or transmits protected health information on behalf of a covered entity or an Organized Health Care Arrangement (OHCA) for a function or activity regulated under the HIPAA administrative simplification rules, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing.
  • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI.

That definition was expanded to include the following new categories of business associates:

  • Those who store or otherwise maintain protected health information.
  • Health Information Organizations (HIOs), e-prescribing gateways, and others who provide data transmission services to a covered entity and require routine access to PHI.
  • Anyone who offers a personal health record to individuals on behalf of a covered entity.
  • Subcontractors of business associates, if the business associate delegates to the subcontractor a function, activity, or service that the business associate has agreed to perform for the covered entity, or for another business associate and any of the delegated functions, activities, or services involve the creation, receipt, maintenance, or transmission of PHI.

Though covered entities and business associates are required to enter into business associate agreements (BAAs), anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations under the HIPAA compliance rules, even if no BAA is signed. Therefore, business associates now have a proactive obligation to identify their business associate relationships and satisfy the HIPAA rules in connection with those relationships.

The Final Omnibus Ruling of January 2013 significantly strengthened HIPAA compliance by enhancing reporting requirements and overall responsibilities for covered entities and business associates. It alerted healthcare organizations that they should take HIPAA compliance and enforcement very seriously. If a covered entity or business associate is aware of a compliance risk, and it has not been addressed, you are liable for a fine. Here are the key factors of this ruling:

  • Outlines the OCR’s data privacy and security enforcement strategies, as updated for the Electronic Health Records (EHR) era mandated by the HITECH Act.
  • Holds HIPAA business associates to the same standards for protecting PHI as covered entities, including subcontractors of business associates, in the compliance sense.
  • Increases penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
  • Guarantees that organizations can operate with certainty that their privacy and security policies comply with all applicable regulations.

2: Don’t rely on business associate agreement requirements

The complex legalese in a standard BAA is too general to protect your organization. In a standard BAA, the partner organization pledges to uphold a range of HIPAA compliance requirements, including technical, administrative, and physical safeguards.

However, it’s not enough just to define your partner’s responsibility to protect PHI. You also need to be specific as to how they’re expected to do it. According to HIPAA, a BAA should address how the partner is authorized to use protected health information, who can access it and under what circumstances, and what protections the associate will use with subcontractors.

The agreement should also specify how the partner will enforce compliance—through employee training, supervision, internal auditing, and other appropriate measures. For example, write the breach notification clause with details, such as how and under what circumstances the associate should contact you, and how quickly they’re expected to do it.

How to Satisfy HIPAA Compliance Requirements

Physical Safeguards: How do you ensure that a home office location is at the same level of compliance as an onsite workstation? This requires the cooperation of every employee to ensure the following:

  • Each home office is located in a separate area that is used exclusively for work purposes during work/business hours. This work area must have a door that can be closed and locked.
  • Each employee signs a statement verifying that other individuals do not have access to view or log on to the computer system at any time where/when protected health information is visible.
  • Equipment and confidential information are secured when the employee is not present.
  • Any printout that is referenced is stored in a locked cabinet when not in active use by the employee.
  • Business telephone conversations involving confidential information are not audible to others present in the home and are conducted within a closed-door environment if PHI is referred to or discussed.
  • Documents viewable on an employee’s screen are not accessible or viewable by others.
  • A photo of each employee’s workplace is kept on file to validate the above requirements.

Administrative Safeguards: While many business associates may believe they are diligent in their HIPAA compliance, they may be unaware that the following company-wide policies and procedures are required:

  • Security—All business associates that have access to protected health information must have a designated security officer, a security officer job description, a security plan for laptops and remote access, a HIPAA security policy, a security risk management program, a security breach and incident response plan, comprehensive records on employees including background checks, validation of certifications, and LEIE checks.
  • Privacy—All business associates that have access to PHI must have a designated privacy officer, a privacy officer job description, a privacy risk management plan, a HIPAA privacy plan, a privacy breach and incident response plan, a physical safeguard policy, a privacy plan for laptops and equipment, and an ePHI policy to ensure transmission is secure and compliant.

Technical Safeguards: Home workstations do not have the inherent IT protection of an onsite workplace. To ensure protection, each home workstation must have installation of endpoint security software and installation of user monitoring software.

Additional Safeguards: Each individual employee who has access to PHI must sign a workplace physical safeguards acknowledgement, a HIPAA compliance acknowledgement, and an updated BAA. These agreements must be kept current and on file. Offboarding policies and procedures should be created for terminating access to PHI when a workforce member terminates employment. Maintain records to ensure access to PHI is terminated and any systems or devices containing PHI under employees’ control have been returned, including the deletion of network and application access within one business day of termination. Also, create onboarding polices to ensure new employees are properly trained and in compliance.

3: Require a security risk assessment

Performing a security risk assessment is a HIPAA compliance requirement that is often overlooked. Widespread confusion in the healthcare industry continues to persist about OCR risk analysis requirements under the HIPAA Security Rule.

Half of the settlements the OCR has announced in the last 12 months and many of the $1 million-plus settlements reached during that time period involve failure to perform an adequate risk analysis.

The HIPAA Security Rule defines a risk analysis as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”

One source of confusion is the use of the terms “risk analysis” and “risk assessment.” The OCR itself uses these terms interchangeably. Keep it simple. A risk assessment is required under the HIPAA Breach Notification Rule to determine whether unauthorized use or disclosure of protected health information creates more than a low probability of compromise, requiring reporting to OCR.

4:  Develop a vendor risk management strategy

Vendor risk management is a process to assess and manage the security risks of any third-party supplier. Developing a vendor risk management strategy is critical for healthcare organizations. With federal regulatory requirements on privacy and security of PHI, covered entities have an obligation to protect their own operations and information, along with those of contracted vendors that have access to PHI.

Unfortunately, contracted vendors haven’t always demonstrated responsibility in the handling of PHI, resulting in a rise in healthcare breaches. At the same time, healthcare organizations often sign contracts with outside vendors without investigating or challenging each vendor’s compliance. Because vendor risk management has been poorly managed, federal regulations have become more targeted over the years to include third-party vendors and business associates.

Recent updates to OCR protocols now require covered entities to be responsible for the compliance of their business associates on behalf of the covered entity. Healthcare organizations must understand the vulnerabilities and controls in place for each contracted vendor, because the privacy and security of PHI is still the responsibility of the covered entity, regardless of where that information lives.

The biggest challenge for covered entities is the incredibly high volume of vendor tracking. Even a small hospital could have up to a hundred BAAs, which may not include business associates that employ their own subcontracted business associates that need to be assessed and managed.

A covered entity should insist that its own security and risk protocols are reflected and supported by its business associate’s assessment. These internal protocols should be reviewed consistently as part of an ongoing vendor risk management strategy to account for any updates or changes in the use of technology or in regulatory requirements.

Covered entities may not have a complete inventory of all the business associates that provide services. BAAs can be scattered throughout different departments in an organization. A vendor risk management program cannot be properly managed by using individual, disparate documents. Department specific manual files are not sufficient to handle the volume, analysis, storage, and oversight required.

As a result of these factors, the practice of implementing vendor risk management software is fast becoming a preferred strategy. If your organization is considering vendor risk management software, look for a comprehensive tool that can inventory, organize, track, and manage. The tool should include alerts, flexible categorization, and planning functions.

Ensuring HIPAA Compliance is Up to You

Internal compliance measures are not enough to protect a covered entity from compliance infractions involving protected health information. Your business associates can also put you at risk. A comprehensive vendor management process should be in place to ensure that your vendors who handle PHI are also in full compliance.