Last week we discussed the importance of an IT asset inventory as a core element of a complete HIPAA Risk Analysis. Today, and in future blogs over coming weeks, we will discuss in detail the key elements of a complete Risk Analysis – what HIPAA regulations require and what the Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) is looking for.
This week we will discuss business associate due diligence. It’s a required part of a complete HIPAA Risk Analysis. Failure to do it risks protected health information (PHI) in your care, and will greatly increase your penalties if OCR investigates.
Business associates are vendors (to a covered entity) that “create, receive, maintain or transmit” PHI, while performing a service involving the PHI. Common examples include billing and coding companies, IT and EHR vendors, cloud service providers, collection agencies and accounting firms.
Prevent Bad Outcomes by Paying Attention
Every single OCR HIPAA investigation in the last several years highlights the need for a complete HIPAA Risk Analysis and follow-through with ongoing Risk Management. When investigations go south and fines are paid, it’s because there was a big piece missing from the Risk Analysis, or a failure to pay attention to Risk Management afterward. Often, business associates who aren’t complying with HIPAA are part of the problem, but it’s your responsibility to ask questions.
OCR is not looking for perfection, and no covered entity or business associate is expected to eliminate every risk. That’s not what HIPAA requires. However, it does require you to be thorough and honest with yourself so that you can uncover the risks you have. Everyone has risks. You need to learn what yours are and reduce and manage them as best you can.
A deep dive doesn’t have to be scary! It can be illuminating, and lead to clarity. And it’s essential for complete HIPAA compliance.
What is HIPAA Risk Analysis – Risk Management?
You can see a fuller explanation here.
A recap, from a 30,000 foot view – Risk Analysis is an inventory of locations and risks to protected health information (PHI). Risk Management is the plan to reduce the risks you identify. It does not require perfection, or budget-breaking changes.
Key elements of the Risk Analysis:
- The inventory must include both electronic and non-electronic information
- The inventory should list workforce (staff) and business associates (or subcontractor business associates)
- It must include every location, not just the main office
- Do it once a year
Risk Analysis uncovers risks (once a year) and Risk Management helps you reduce risks (throughout the year).
Business Associates are Often a Weak Link in Compliance
In the fast pace of healthcare, business associates are sometimes overlooked. Most covered entities have at least one, e.g., Microsoft, or Amazon Web Services, but many have multiple business associates who help do the work of healthcare.
For business associates: if you are a business associate complying with HIPAA, kudos! Any subcontractor you use, if they create, receive, maintain or transmit PHI, are subcontractor business associates under HIPAA and should be included in your roster of subcontractors in your HIPAA Risk Analysis. Be sure to have a subcontractor business associate agreement (BAA) in place.
The largest HIPAA breach of PHI in 2019 happened at a business associate medical collections company. The American Medical Collections Agency serviced LabCorp, Quest and many other covered entities, and when a breach happened there, over 25 million patients’ PHI was exposed. It’s likely that the covered entities that had contracts with AMCA did NOT perform “due diligence”. Huge class action lawsuits against AMCA, Quest and LabCorp (and others) followed, and AMCA declared bankruptcy.
Due Diligence Requires Asking Questions
Due diligence simply means asking questions. Good business practices in any field call for paying attention to the organizations you’re entering contracts with. For HIPAA compliance you are required to obtain “satisfactory assurances” from a business associate that they will safeguard protected health information they’re entrusted with.
Questions to ask a business associate, or a subcontractor business associate:
- Do you follow HIPAA?
- Do you have a designated HIPAA compliance person?
- When did you last perform a Risk Analysis?
- If you have not done one, are you willing to do one now?
- Will you enter a business associate agreement with our organization?
All of the questions and answers should be documented, so you can prove you did your job.
Consequences of Failing to Ask can be Severe
If you engage a business associate, or subcontractor business associate, without asking questions, you are putting yourself at risk. Or, if you ask once, then don’t pay attention to any changes or updates to their business you may be at risk. Every year, during your Risk Analysis, check your list of BAs and make sure you still have a BAA in place – are they conducting an annual Risk Analysis?
If you disclose PHI to a business associate, or allow a business associate to create, receive, maintain or transmit PHI on your behalf without performing due diligence, you may be charged with acting with “willful neglect” exposing you to the highest levels of a civil money penalties for a HIPAA violation. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply.
HIPAA Does Not Prevent Use of Offshore Business Associates
It is more and more common to engage a firm outside the United States as a business associate. However, offshore BAs may not be subject to HIPAA compliance regulation by HHS or the jurisdiction of U.S. courts for private enforcement of their obligations to covered entities and business associates.
So it’s critical to ask offshore BAs:
- Is your business organized or registered in the United States so that it is subject to HIPAA compliance regulation by The U.S. Department of Health and Human Services and jurisdiction of U.S. courts?
Whether in the U.S. or offshore, if a vendor is unwilling to follow HIPAA or enter a business associate agreement, they are putting your HIPAA compliance in jeopardy and bringing huge risks to your organization.
Create and Save a List of All Business Associates
Starting in 2016 covered entities, upon request by OCR, have been asked to identify all business associates. The OCR request of a Covered Entity for BA information asks for:
- Name of Business Associate and type of service provided;
- Direct contact information of one person (two if available) at the Business Associate that includes the contact’s name, title, address, telephone and fax number and email address; and the Business Associate’s Web Site URL.
We have the business associate roster ready for you in The HIPAA E-Tool®.
Business Associate Due Diligence is Easy with The HIPAA E-Tool®
The HIPAA E-Tool® understands business associates and knows how to complete due diligence, both for HIPAA compliance and your own peace of mind. It contains templates of business associate agreements, and subcontractor BAAs that are easy to modify to fit your organization.
There is a business associate roster embedded in The HIPAA E-Tool® – an interactive form you can fill out and save, easily accessible whenever you need to amend it, or repeat your Risk Analysis.
Don’t move forward if something is hazy or unclear – we can help you find clarity. HIPAA compliance is easy step-by-step, if you know the steps.