To all of you in healthcare (and anyone who goes to the dentist, has ever had an unexpected stay in the ER, or has had to get some physical therapy for that injury from way back when that somehow seems to creep back into painful existence time and time again), I’m sure you’re concerned with making sure your treatment works and that you or your patients are getting the highest quality of care.
Part of keeping doctors focused on what they do best? That’s where business associates have helped healthcare organizations immensely.
But who the heck are business associates?
Technically speaking, a business associate is anyone that performs functions or activities that use or disclose protected health information. That means anyone who processes any patient data (even names, dates, facility names, etc.) should be considered a business associate.
How many business associates does your office have?
If you’re like many offices, you probably cannot simply count your business associates on one hand. Think about all of the services vendors might provide for you. Your EHR platform? Cloud storage? Do you use any lab facilities? What about medical billing? The list goes on, but I want to make clear that business associates are all over the place—and in most network security assessments, we are not seeing proper documentation around all of the organizations that interface with your practice or facility.
Why should you care about your business associates?
The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) is starting to crack down on facilities that do not properly have business associate agreements with those companies and organizations that use, process or touch any form of protected health information. In fact, there have been recent cases that have led to fines in the ten’s to hundreds of thousands of dollars. In fact, here in Philadelphia the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently settled for a $650,000 fine for not having appropriate business associate agreements in place with other organizations touching their patient data. Essentially, OCR is holding your facility responsible for what your business associates are doing with your data. If you do not have updated business associate agreements with them, then you will most certainly be on the hook for any data breach or attack affecting the privacy and integrity of that information.
What is in a business associate agreement (BAA)?
BAAs are contracts that tell business associates how they need to disclose and safeguard your facility’s protected health information. At minimum, your business associate agreements should have the following:
- Establish the permitted and required uses and disclosures of protected health information by the business associate.
- Provide that the business associate will not use or disclose information other than as permitted by your contract or by law.
- Require the business associate to maintain appropriate safeguards to prevent unauthorized use or disclosure of electronic protected health information (Note: if you are concerned whether business associates are protecting your information, experts recommend getting a network security assessment for peace of mind).
- The business associate must report to you any use or disclosure of information not provide by its contract (including breach or security incidents).
- The business associate must disclose PHI as specified in its contract to satisfy your obligation to individual’s requests for copies of their PHI.
- Ensure that the business associate covers out your obligation to comply with the HIPAA Privacy Rule.
- Require the business associate to make available to HHS its internal practices, books and records related to the use or disclosure of your patients’ protected health information.
- Ensure that at the termination of your contract with the business associate, require them to return or destroy all PHI received or created on your behalf.
- Make sure that business associates ensure that any subcontractors working on their behalf agree to the terms of your BAA.
- Ensure that if the business associate violates material covered within your BAA, that your contractual relationship with a business associate may be terminated.
The bottom line…
You really should evaluate who is working with you, how they are handling your data and have means to evaluate whether they are actually keeping your patients’ data secure. At minimum make sure you have all of your business associate agreements up to date. You may also want to require those associates to have their network evaluated with a network security assessment to make sure all of their ducks are in a row.