Back in 2013, when Edward Snowden was in Hong Kong revealing he leaked documents detailing mass-surveillance programs by the U.S. government, the Department of Health and Human Services (HHS) was creating the Final Omnibus Rule. This rule extended its regulatory reach beyond covered entities (e.g. healthcare providers, health plans, and clearinghouses) to business associates who would now need to comply with additional HIPAA rules.
If I’m a healthcare organization, I already answer questions about Business Associate Agreements (BAA’s) in my annual HIPAA Security Risk Analysis and I understand that if my Business Associate experiences a breach, I am responsible for notifying the individuals and HHS (along with my State in many cases). As a healthcare organization, I would also want to ensure my partners have a strong security posture which include controls and safeguards to prevent them from falling victim to HIPAA violations and fines where patient health information, financial, and reputational risk are all at stake.
If I’m a business associate, I want to demonstrate to my covered entity partner(s) that I take security and privacy seriously. I want to show that my organization can be trusted.
All it takes is one employee clicking on a phishing email, one unhappy “whistle blower” to trigger an audit, or one mistreatment of protected health information (PHI) and the Office of Civil Rights (OCR) is knocking on your door ready to do its job.
What is a Business Associate?
A business associate is defined as, “a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access to protected health information (PHI).” A business associate is also considered a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.
Three items required of a Business Associate
- Perform and document a security risk assessment (45 CFR 164.308)
- Implement specified physical, administrative and technical safeguards to protect ePHI (45 CFR 164.300)
- Report security incidents and privacy breaches to the Covered Entity (45 CFR 164.314(a), 165.410, and 164.502(e))
What is a HIPAA Security Risk Analysis?
When the Security Rule was added to HIPAA, we learned it, “identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.”
Essentially, the HIPAA security risk analysis (SRA) is meant to identify potential risks and vulnerabilities to your organization. Once the risks are identified, using NIST standards, a plan can be put in place to properly prioritize the level of risk to your organization (Likelihood x Impact = Level of Risk). Then, it is time to remediate and complete your SRA.
How often do I need to do a Security Risk Analysis?
The U.S. Department of Health & Human Services (HHS) says the risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Security Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)
Per HHS, the Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. However, nearly all covered entities and business associates may perform these processes at least annually depending on circumstances of their environment.
Can we get away without performing a Security Risk Analysis?
Just like there are motorists on the road without car insurance, I’m sure there are healthcare organizations and business associates conducting business without performing their SRA. These motorists hope they don’t get pulled over or get in an accident. Comparatively speaking, everyone hopes they don’t have an employee that mistakenly clicks the wrong link in an email and creates a breach related incident.
If you are a business associate, you are required to comply with HIPAA rules like a covered entity before signing your BAA. This is done by completing a full HIPAA security risk analysis which should be updated at least every 3 years, or when significant changes happen to your computing environment. It is important to always implement policies and procedures that satisfy HIPAA compliance.
It’s good for your organization and those with whom you do business and can save millions in an audit.