The relationship between a covered entity and business associate requires a delicate balance of trust. This balance of trust works because each is invested in the security and protection of personal health information. As a covered entity, it is important to partner with business associates that have a strong security posture with safeguards and controls in place to prevent HIPAA violations and fines.
As a covered entity, there is a heavy responsibility to know how your trusted business associates are using and protecting ePHI. To help better distribute the responsibility between a covered entity and business associate, an update was made to the Final Rule to outline the responsibilities of a business associate and their liable.
On May 24, 2019, the Department of Health and Human Services Office of Civil Rights released a fact sheet that, “Provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach notification and Enforcement Rules, “HIPAA Rules.””
What changes were made?
In the new fact sheet, there are ten guidelines outlined that business associates can now be held directly liable for if a breach occurs. Below is a summary of the violations:
- Failure to provide records and compliance reports, cooperate with investigations and reviews, and permit access to information to determine compliance
- Taking retaliatory action against individuals filing a HIPAA complaint
- Failure to comply with the Security Rule requirements
- Failure to provide breach notification to a covered entity or another business associate
- Impermissible use and disclosures of PHI
- Failure to disclose a copy of PHI to the covered entity
- Failure to make reasonable efforts to limit PHI to minimum necessary
- Failure to provide an accounting of disclosures
- Failure to enter into business associate agreement with subcontractors that create or receive PHI, and failure to comply with the implementation specifications for such agreements
- Failure to take reasonable steps to address a material breach or violation of the subcontractors’ business associate agreement.
What does this mean moving forward?
Because covered entities are responsible for notifying both the Federal Government and those individuals involved in the breach caused by a business associate, it is understandable some anxiety results in trusting others with ePHI. The way a vendor handles ePHI can greatly impact goals for any healthcare organization.
Having a proper HIPAA Security Risk Analysis performed covers basic requirements on how to manage business associates for the covered entity.
More covered entities today are requiring business associates to complete a HIPAA Security Risk Analysis or data security checklist with similar policies, procedures and evidence (e.g. screenshots showing proof of encryption, firewall configuration, data loss prevention and log/alert settings) to be sent for approval prior to signing an agreement and allowing access to ePHI.
These assurances protect the covered entity, the business associate and most importantly the individual’s rights to privacy and security.
How can HIPAA One support the balance of trust?
The complexity of managing multiple business associate agreements and contracts can quickly become unmanageable. However, HIPAA One will be releasing a new tool to help healthcare organizations better manage and track, automate and update these agreements all in one place.
This new Vendor Management System (VMS) is built on HIPAA One’s existing BAA contracting software which was designed to allow healthcare providers better organize contracts and reduce the time, effort, and administrative overhead. Below are the key features of the VMS tool:
- Automated reminders, tracking, and updates with the option to bulk upload vendor information
- Straight forward, ready-to-use contract templates (CE-friendly). Edits are easy to perform, and all fields are pre-filled for simpicity
- Flexible and customizable templates can be grouped by purpose or department. VMS also allows edits to existing legal contracts
- VMS satisfies security requirement standards by requiring the business associate, vendor or recipient of the contract to upload proof of compliance prior to sending the BAA contract
- Built-in electronic signatures file the agreements upon signing making it easy to find during audits or contract reviews. All files, communications and actions are logged automatically
- This tool can integrate with EHR or ERP financial platforms. Additionally, in subsequent HIPAA One Security Risk Analysis, users will have their inquiries pre-filled for questions related to Business Associates
We understand that it takes a lot of trust to partner with business associates and share critical data across the continuum of care. Ensuring each vendor has a standard of security that satisfies requirements is important before allowing a BAA to be signed. If you would like to know more about our Business Associate Agreement tool, or would like to be notified when we release our Vendor Management Solution, please contact us at [email protected]