Almost all hospitals outsource a myriad of services for better and more cost-effective operational results. These services extend well beyond the traditional transcription, data entry, housekeeping and food services of yesteryear. Today, outsourcing services are used for health information management, revenue cycle management, clinical research, IT support, data storage and security, and many other clinical and non-clinical functions. While outsourcing can be a huge boon to efficiencies and quality, it also may bring serious HIPAA-related risks if the vendor qualifies as a business associate (BA) under the law.
Which vendors qualify as business associates? What are the HIPAA risks of depending on these outsiders? Data security and privacy breaches by business associates have exploded in recent years, but diligent management by your hospital via proper procedures will minimize its risks. Here’s what you need to know.
During the first half of 2017, business associates were involved in 409 HIPAA data breaches with 31,239,362 patients potentially exposed hospitals and other healthcare providers. A risk management program addressing outsourcing vendors and other business associates (BAs) has never been more critical.
Which of your hospital’s contractors are business associates under HIPAA?
Business associates include the people and companies that support a HIPAA-covered entity — in this discussion healthcare providers in particular. Anyone who comes in contact or could potentially come in contact with Protected Health Information (PHI) is a business associate. The Omnibus HIPAA rule of 2013 says “business associates” include all vendors that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity, e.g. a hospital or payor. This includes your EHR vendor, other PHI-touching systems vendors, data storage firms, billing outsourcers, consulting firms, clinical service desks, lawyers, accountants, IT contractors, cloud storage services, email encryption services, web hosts, and more. It can even include your housekeeping and waste disposal outsourcers.
To complicate this scene even more, subcontractors of business associates that perform business associate functions are themselves business associates. As a result, the Omnibus Rule requires a chain of compliance starting with the HIPAA-covered entity, through the business associate, and ending with the lowest-tier subcontractor.
Just as covered entities are held responsible for breaches or violations of their business associates, so, “first level” or primary business associates are held responsible for the compliance of their subcontractors. As with covered entities, business associates are now subject to the same penalties for noncompliance. And, as of 2016, business associates are being audited for compliance by the Office of Civil Rights (OCR).
To learn more about the Omnibus HIPAA rule, and its privacy and security requirements, read our complete summary in our knowledge resources library.
Implementing a business associate risk management program
Bringing any external vendor into your hospital adds significant privacy and security risks. These are greatly compounded if the vendor uses subcontractors that also touch PHI.
Risk management can be divided into two broad stages: due diligence prior to engaging a vendor, and on-going monitoring and reporting. A cautionary note on due diligence: you may have narrowed your choice of vendors to just two or three, but if you haven’t performed a HIPAA risk assessment with finalists, you’re not ready to make a choice. HIPAA requires that you obtain satisfactory assurance of compliance in writing from all of your business associates.
Here are the essentials of a strong risk management program:
- Your chosen vendor and any sub-contractors that will have contact with PHI in your organization should be willing to sign a HIPAA Business Associate (BA) agreement in order to work for you. If they are not willing, you will have to move on to another vendor. Why? Because your hospital, a HIPAA-covered entity, will be held accountable for NOT creating an agreement, especially if it is audited by the Office of Civil Rights (OCR), or is the victim of a breach. In the latter case, you will have to expect financial penalties.
- You should determine the level of access to PHI that the prospective vendor and sub-contractors may have in their relationships with your organization. This will provide a foundation for evaluating the severity of risks presented by contracting with the vendor. Minimal exposure or access means minimal risk. The opposite is also true.
- Now comes the heavy lifting part of due diligence: your hospital must conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data, and its ability to prevent breaches and detect them. The following list of assessment factors is not meant to be comprehensive, so you should enlist your organization’s security/privacy officer (who must be well versed on HIPAA) to manage the assessment. As examples, the process should include ascertaining through documentation and first-hand observation that the vendor meets the following requirements:
- BAs must have an assigned security/privacy officer. This person must know HIPAA and have the authority to step in and make recommendations to the IT department and senior management when necessary.
- BAs are required to have a documented set of privacy and security policies and procedures, which your organization should review as part of the vendor vetting process. The policies should cover the vendor’s employees, volunteers, contractors, and other members of the BA workforce.
- BAs must maintain an active security/privacy program that aligns with HIPAA requirements, at the very least. The program also should align with your organization’s security program. The BA’s program needs to include ongoing security administration activities to assess, monitor, prevent, and mitigate security threats. It must have established systems for discovery of breaches and a formal response plan in such an event. The BA should be providing annual HIPAA training to its workforce.
- If a prospective BA is contracting with downstream business associates on your hospital’s behalf, it must have BA agreements with them and impose the above data security and applicable privacy requirements on them. Their contracts should include documentation of the upstream BA’s right to terminate the downstream vendor for security or privacy violations. If the BA uses several BA subcontractors, your organization’s review process will either go smoothly if the prime vendor has a well-managed HIPAA compliance program, or it will crumble under the weight of too many unanswered questions by an unprepared vendor.
- The vendor should have adequate physical security protections in place, in addition to systems and process protections. You should assess facility access and other physical security measures implemented by the vendor. Ideally, this assessment should occur onsite, particularly if the vendor is to have significant access to your data.
- You should assess the vendor’s ability to perform in the event of a system or process failure or catastrophe. For example, can it show you that it has a current disaster recovery plan? Has it implemented appropriate redundancies to prevent lost data?
- Even if all looks positive in the initial assessment phase, the vendor or a subcontractor may have experienced HIPAA breaches. This doesn’t necessarily present a hard stop in your relationship. Get a report on any HIPAA breaches the vendor or sub-contractor may have caused or been part of, along with subsequent remedial efforts. Assess the potential impact of the breach history on your organization’s reputation. Hopefully, you will find that the vendor’s remedial work is sufficient to justify moving to contract.
- The financial stability of the vendor is significant not only for good business reasons, but also to ensure that it is not vulnerable to failures that could jeopardize data privacy and security. Request appropriate financials.
- Within your contract, you should require the vendor to complete privacy/security assessments annually, to be submitted to your organization.
- Just as your BAs will have created the right to terminate the vendor for security or privacy violations, your BA vendor contracts should include similar plans for terminating the relationship cost-effectively.
- Maintaining and managing your BA vendor inventory is a difficult necessity. Many hospitals purchasing departments do a good job of general vendor tracking but their IT leaders may be less tuned in to such old-fashioned record-keeping. BA inventory management, typically the job of the security/privacy officer (often an IT employee), includes maintaining up-to-date copies of contracts, service level agreements (SLAs), BA agreements, and follow-up assessments.
- Due diligence is never “done.” The security/privacy officer should regularly monitor all BA vendors’ SLA performance, and their security and privacy-related activities and performance. If you have required your BAs to complete a privacy/security assessment annually, you should expect to receive a documented update each year. The update should include similar reports provided to the BA by its subcontractors. Create a follow-up calendar to make sure your BAs are held accountable.
- A business associate risk management program can only be effective if your security/privacy officer and/or others are held accountable for all of the above. This component is obvious, but presents a significant problem for many hospitals: in some hospitals, this HIPAA-required role is often part-time for staff members who have other responsibilities, or it is given low priority. While resource constraints are common especially in smaller hospitals, the fact is that if the compliance officer does not have a mandate to manage the program, it will fail. An outsourced vendor’s performance – or lack thereof – could create reputational and legal consequences for your organization, not to mention data penetration disasters. If you do not monitor your outsourcing vendors’ activity, you could also incur sizable HIPAA penalties and loss of patient confidence.
Many vendor/business associates still don’t know that HIPAA covers them or what a BA designation means. This is partially because the covered entities they work ( hopefully not your hospital) have not completed HIPAA due diligence with them. Nor has the Department of Health and Human Services aggressively reached out to inform them of their responsibilities.
Our healthcare industry is learning the hard way. Cybercriminals are hammering it because they can. Negligence is way too commonplace, particularly among vendors that have no clue as to their HIPAA responsibilities. Our security and privacy environment is not yet as robust as industries like finance and manufacturing, but we can enhance it greatly just by following the rules. Hospitals and other covered entities must ensure that their internal staffs and their affected vendors understand and are consistently compliant with HIPAA.
For more information on HIPAA risk management, please contact us.