HIPAA: Reducing Liability by Managing Business Associates
Now that vendors are accountable under HIPAA, you could face increased liability if these business associates are responsible for patient privacy breaches.
Now that vendors are accountable under HIPAA, you could face increased liability if these business associates are responsible for patient privacy breaches. The Office for Civil Rights (OCR) handed down its first major fine against a business associate this year. Catholic Health Services of the Archdiocese of Philadelphia, which provides management services to nursing homes, was fined $650,000 after an employee's mobile phone containing protected health information (PHI) was stolen in 2014.
OCR's investigation into the incident found the device was unencrypted and had no password protection. Catholic Health Services also lacked a risk analysis had no risk management plan in place regarding breach mitigation.
In this instance, the investigation and fines were limited to the vendor. As business associates are increasingly scrutinized, however, providers may become more susceptible to OCR audits or patient lawsuits. Here's how to shield yourself from problems.
Consider the chain of business associates
It's challenging enough to keep your own staff in check when it comes to HIPAA compliance. Making sure your business associates are complying may seem nearly impossible. But you need to consider your liability.
Mark Dietrich, an accountant who specializes in health care valuation and lectures on HIPAA issues, recently had a physician's external billing company send him 5,000 lines of patient information through his web-based data exchange. He deleted the information and informed the client what had happened. Not all providers, however, are lucky enough to experience this kind of scenario.
“Doctors have to be aware that their business associates may have business associates as well,” he said. “It's not difficult to envision circumstance where the business associate of a doctor loses patient information and that becomes an issue for the doctor.”
Ask the right questions of vendors
It's no longer sufficient to send out blanket business associate agreements, cross your fingers, and hope for the best. You may not have time to vet each vendor, but you should be able to create a questionnaire that will provide enough information to gauge business associates' compliance level.
“Business associates are calling constantly now, losing clients or not getting new ones because doctors are asking more of them than they used to,” said Brian L Tuttle, senior compliance consultant with InHealth Professional Solutions in Atlanta.
If you can't send them to everyone, focus on higher-risk vendors like billing, transcriptionists and IT providers. Tuttle recommends a list of no more than about 25 questions hitting the highlights of HIPAA compliance. This can include the following:
- Their risk analysis plan (and request to see it)
- Their IT practices
- Server maintenance and backup information
- If they use personal devices for PHI
- The physical security of the business
- Password policies
- If they do background checks on employees
- If staff is trained
- Disclosure policies
- If they encrypt devices
- A breach mitigation plan
Tuttle is currently working on a case where a vendor used the same username and password for all of its employees in the system. Because of this, they were breached. Patients have brought a class-action lawsuit against the provider because they were aware of, and allowed, the password issue.
Doing some vetting of vendors and having them sign off on your list can help take some responsibility off of your office should this kind of problem occur.
“What this does is, if there is a nasty breach, you can prove to OCR or in court that you have done reasonable and appropriate due diligence above and beyond a business associate agreement,” Tuttle said.