Business Associates Gone Bad – What’s a Covered Entity To Do?

With the HIPAA Omnibus Final Rule, expectations for Business Associate compliance have ramped up significantly. It seems many BAs have had trouble responding.

It turns out BAs are to blame for almost 30 percent of breaches reported on the Department of Health and Human Services (HHS) Wall of Shame. In total, nearly 300 breaches have been triggered by BAs, affecting more than 31 million individuals.

 A timely example comes to us courtesy of Boston Medical Center, which recently fired a transcription vendor after the firm posted information on 15,000 patients to its unsecured website.

 BAs have not had as much time as Covered Entities (CEs) to prepare for heightened compliance expectations and, as a result, many are way behind in taking adequate measures to safeguard protected health information. If you are a CE, that’s a big problem.

At a recent Clearwater HIPAA Blue Ribbon Panel event, a group of national experts provided insight and guidance for CEs to help properly monitor and manage BA relationships. Their top tips include:

  • Create an inventory of all your Business Associate relationships. Be as comprehensive as possible.
  • Rank order BAs based on key variables such as the sensitivity of the patient data they have access to, the nature and frequency of that access, as well as their track record with data privacy and security.
  • Be certain to update all BAAs according to the latest requirements.
  • Conduct a BA Summit to help your partners better understand their responsibilities and learn how to enhance HIPAA compliance efforts.
  • Implement an ongoing Business Associate monitoring and management program.

These are great action items for CEs who are serious about getting a better handle on the PHI protection practices of their vendors. At the end of the day, every BA relationship you have poses at least some degree of risk related to HIPAA compliance. What are you doing to ensure a bad BA doesn’t land your organization on the naughty list?

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.