If You Can Access Protected Health Information – You’re a Business Associate

Organizations are beginning to understand that the regulations apply not only to Covered Entities (health care providers, health plans, and clearinghouses), but also Business Associates - third parties that may also have access to patient data. The US Department of Health and Human Services (HHS) defines a Business Associate as a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” HHS notes that Business Associates could fall under any of the following service functions: “claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.”

OCR Vows to Crack Down on Business Associates

Enforcement penalties can be severe for Business Associates. Last June, HHS Office of Civil Rights (OCR) published the details of a settlement agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). The settlement came as a result of a theft of CHCS mobile devices that compromised patient data for hundreds of nursing home residents. OCR’s investigation of the incident also determined that CHCS had no risk analysis or risk management plan. CHCS was hit with a penalty of $650,000 and is implementing a corrective action plan.

Strict enforcement measures against BA’s and penalties for non-compliance will continue to rise in 2017 and beyond. The American Bar Association noted in December that “While in years past the government focused on covered entities subject to HIPAA, 2016 marked the first year that business associates took much of the limelight...this oversight will likely not slow down in 2017.” Last year saw plenty of enforcement actions against BA’s, who were also included in OCR’s Phase 2 desk audits. 

While the threat of being audited will remain constant, the larger concern should continue to be breach avoidance. For software vendors such as EHR providers who may exchange patient data with hundreds of technology partners, it is increasingly important to understand the security risks of their BA’s.

In OCR’s May 2016 Cyber Awareness bulletin, they emphasized the importance of assessing the risk of BA’s:

“Covered entities and business associates should train workforce members on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contain ePHI may be at significant risk.”

HIPAA Risk Advisor

Business Associates can now utilize Focal Point’s HIPAA Risk Advisor – a cloud-based platform that simplifies and accelerates HIPAA compliance initiatives. HIPAA Risk Advisor includes an automated security risk assessment tool that includes a dedicated HIPAA security expert to navigate you through the entire process, providing a risk and gap analysis with recommendations to improve security.

Originally built for Covered Entities, Focal Point is announcing platform enhancements to tailor the assessment process to the specific needs of business associates.

HIPAA Risk Advisor is primarily delivered through our IT Service Provider channel partners. These partners are ready to assist with remediation services to reduce risk and help both CE’s and BA’s achieve compliance 

Interested in becoming a partner? Want to find a partner in your area? Contact Steve Hellin at shellin@focal-point.com