HHS Audits Increasing Focus on Business Associates.

The current round of HHS audits have increased their scrutiny on healthcare providers’ Business Associates. This means that just having a BA agreement in place is not enough; healthcare organizations need to also look at the security controls in place for each of their BAs.

These security controls should include encryption of laptops and any other devices that BAs may use to handle PHI. As the recent breach involving the NFL, which could have easily been avoided with basic security practices, has demonstrated, breaches of health information security can come from a variety of sources and anyone who has access to PHI has a legal obligation to protect it.

Due to the fact that BAs are responsible for a significant percentage of breaches on the HHS Wall of Shame this increased scrutiny is warranted and needed. You can’t effectively protect your patient’s sensitive health information if your BAs aren’t taking adequate security measures.

Here are some practical steps healthcare organizations need take to help ensure their BAs are being diligent about data security:

  • Conduct a BA inventory. Hospitals should document a list of all BAs and the contact information of their compliance officers. Every organization should ensure their BAs are receiving the minimum necessary PHI for the services they are providing.
  • Risk-rate BAs. Healthcare providers should determine which BAs have access to the highest volume of patient data and the ones that are most critical to the organization. These are the BAs that need the closest scrutiny.
  • Review BA agreements. Healthcare providers should make sure that new BA regulations required under the omnibus final rule have been incorporated into all contracts.
  • Provide BAs with a Notice of Privacy Practices. This helps ensure they are aware of their compliance requirements. BAs should be provided any updates to the NPP on a timely basis.
  • Vet prospective BAs. Problems can often be prevented by sending prospective BAs a questionnaire on their privacy/security policies, including requesting details of any previous incidents or breaches and of the remediation steps taken to avoid others in the future.
  • Require greater BA accountability. Healthcare providers should insist on an annual attestation of HIPAA compliance from all BAs and follow up to ensure their delivery. BAs should also be required to notify hospitals of incidents or breaches within five days.
  • Request a list of all BA subcontractors and services. A subcontractor or vendor working for a BA can also pose a security threat. Although provider organizations are not responsible for ensuring their compliance, requesting a list of subcontractors will help ensure they are on top of their compliance requirements.
  • Have adequate BA backup. If a BA is terminated for ongoing insufficient security, it’s wise to have a substitute ready to take over.

Maintain thorough documentation of all these activities. Documenting BA security programs show regulators that a hospital is serious about safeguarding patient data.

If you have any questions regarding the current round of HIPAA Audits or Business Associate security, please contact ITPAC today.