One day you awaken to a story in your newsfeed about a major cybersecurity incident that happened to one of your vendors. Thank goodness it didn’t happen to you. Are you off the hook if that vendor is sued or investigated for HIPAA noncompliance? You may NOT be, depending on your own compliance.
Healthcare organizations, like other businesses, depend on other skills to carry out their central job of patient care. Many healthcare providers, for example, do not do their own coding and billing, so they hire a vendor to do it. IT, accounting, practice management and legal services are all examples of critical functions required for a successful healthcare practice. All those vendors under contract to covered entities are HIPAA business associates if they handle protected health information (PHI).
Business Associates are Targets for Cyber Criminals
Business associates in healthcare are in the news lately, mainly because they’re getting hit with huge hacks, causing more and more patients’ personal information to be exposed on the web, stolen or used to commit fraud. Last week we wrote about the most recent business associate data breaches which, combined, affected millions of patients. So far this year, cybersecurity incidents at business associates have been growing, and are expected to continue to grow. For the cyber criminal, one successful hack at a business associate can reap big rewards, that is, large numbers of patients’ data. It’s more profitable.
Compliance Risks for Both Business Associates and Covered Entities
When the data breach is then reported to the Office for Civil Rights (OCR), it may lead to an investigation. If OCR finds that the business associate wasn’t following HIPAA, fines can be imposed, or a settlement may result. An investigation at a business associate may lead to an investigation of the covered entities the business associate served, if OCR finds, for example, that business associate agreements were missing, or out of date or the covered entity was otherwise negligent in managing its business associate.
Another growing risk is class action lawsuits. Although HIPAA doesn’t provide individuals a private right to sue, lawsuits under state privacy law are becoming more common, especially when a large number of patients is affected, opening the door to a class action.
Questions and Answers about HIPAA Business Associates
Question 1: I just took over HIPAA compliance at a mid-sized urology practice and I am reviewing the list of vendors to make sure we have business associate agreements in place. How do I know which vendors are true HIPAA business associates?
Answer: A vendor is a HIPAA business associate if they “create, receive, maintain or transmit” protected health information. So, it’s a fact-based individual decision for each one.
Question 2: We use Google cloud services to help manage our patient records. Is Google a business associate?
Answer: Yes. And Google has its own business associate agreement that it requires all of its customers to abide by, and they won’t negotiate or consider a different one. Like other software agreements, you don’t sign it, but you are notified that you have accepted its terms when you purchase and begin using Google’s cloud management service.
Question 3: The company we use for practice management and revenue cycle management experienced a major hack and our patients’ PHI was compromised. We have a business associate agreement with them. We are still investigating to gather all the information so we can notify our patients and the Office for Civil Rights (OCR). After we do those things, we’re off the hook right? Isn’t this their problem, since they’re responsible for their own HIPAA compliance?
Answer: While it’s true that business associates are separately responsible for HIPAA compliance and separately subject to investigation and fines for noncompliance, a covered entity that contracts with a non-compliant business associate may find itself answering questions, from OCR or in a lawsuit. The key question is whether the covered entity performed due diligence when selecting the business associate. It is not enough to go on faith and belief – before entering a contract one should ask several questions, and probe the answers until you are satisfied that the business associate follows HIPAA. Then be sure to execute a business associate agreement.
Question 4: As a business associate myself, if I hire another company to help me fulfill my contract with a healthcare provider, do I need a HIPAA agreement with that subcontractor?
Answer: HIPAA requires a documented “chain of trust” running from covered entity to business associate, and down to subcontractor business associates. If your company, as a business associate, is entering a contract with a subcontractor, and that sub is exposed to PHI (do they “create, receive, maintain or transmit” PHI?), then it is your responsibility to conduct due diligence around their HIPAA compliance, and to execute your own business associate agreement with that subcontractor.
Question 5: What does due diligence mean?
Answer: It means asking the right questions. A brief summary is to 1) identify which of your vendors are business associates 2) ask whether they comply with HIPAA business associate rules 3) document your questions and answers 4) enter a business associate agreement with them, and 5) periodically reconfirm that they are still in compliance. For more see Managing Business Associates under HIPAA.
HIPAA Compliance Strengthens your Organization
Instead of thinking that HIPAA is an obstacle or a problem, think about it as a modern guide to protecting patient data and your organization. If you follow the HIPAA Security Rule, you have built the best defense possible against cybercrime.
Covered entities and business associates both need their own HIPAA polices and procedures and both need to conduct HIPAA Risk Analysis and Risk Management.
Whether you are a covered entity or a business associate with subcontractor business associates, you need to make sure the business associates understand their HIPAA responsibilities and can back up their statements with concrete proof. Do your due diligence first, and have business associate agreements in place.
If you have a question that wasn’t answered here, send us a note. The HIPAA E-Tool® can help.