Business Associates Gone Bad – What’s a Covered Entity To Do?
With the HIPAA Omnibus Final Rule, expectations for Business Associate compliance have ramped up significantly. It seems many BAs have had trouble responding.
It turns out BAs are to blame for almost 30 percent of breaches reported on the Department of Health and Human Services (HHS) Wall of Shame. In total, nearly 300 breaches have been triggered by BAs, affecting more than 31 million individuals.
A timely example comes to us courtesy of Boston Medical Center, which recently fired a transcription vendor after the firm posted information on 15,000 patients to its unsecured website.
BAs have not had as much time as Covered Entities (CEs) to prepare for heightened compliance expectations and, as a result, many are way behind in taking adequate measures to safeguard protected health information. If you are a CE, that’s a big problem.
At a recent Clearwater HIPAA Blue Ribbon Panel event, a group of national experts provided insight and guidance for CEs to help properly monitor and manage BA relationships. Their top tips include:
- Create an inventory of all your Business Associate relationships. Be as comprehensive as possible.
- Rank order BAs based on key variables such as the sensitivity of the patient data they have access to, the nature and frequency of that access, as well as their track record with data privacy and security.
- Be certain to update all BAAs according to the latest requirements.
- Conduct a BA Summit to help your partners better understand their responsibilities and learn how to enhance HIPAA compliance efforts.
- Implement an ongoing Business Associate monitoring and management program.
These are great action items for CEs who are serious about getting a better handle on the PHI protection practices of their vendors. At the end of the day, every BA relationship you have poses at least some degree of risk related to HIPAA compliance. What are you doing to ensure a bad BA doesn’t land your organization on the naughty list?
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017