Chat with us, powered by LiveChat

Am I A Business Associate Under HIPAA? Why Should I Care?

Am I A Business Associate

Back in 2013, when Edward Snowden was in Hong Kong revealing he leaked documents detailing mass-surveillance programs by the U.S. government, the Department of Health and Human Services (HHS) was creating the Final Omnibus Rule. This rule extended its regulatory reach beyond covered entities (e.g. healthcare providers, health plans, and clearinghouses) to business associates who would now need to comply with additional HIPAA rules.

If I’m a healthcare organization, I already answer questions about Business Associate Agreements (BAA’s) in my annual HIPAA Security Risk Analysis and I understand that if my Business Associate experiences a breach, I am responsible for notifying the individuals and HHS (along with my State in many cases). As a healthcare organization, I would also want to ensure my partners have a strong security posture which include controls and safeguards to prevent them from falling victim to HIPAA violations and fines where patient health information, financial, and reputational risk are all at stake.

If I’m a business associate, I want to demonstrate to my covered entity partner(s) that I take security and privacy seriously. I want to show that my organization can be trusted.

All it takes is one employee clicking on a phishing email, one unhappy “whistle blower” to trigger an audit, or one mistreatment of protected health information (PHI) and the Office of Civil Rights (OCR) is knocking on your door ready to do its job.

What is a Business Associate?

A business associate is defined as, “a person or entity who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access to protected health information (PHI).” A business associate is also considered a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate.

Three items required of a Business Associate

  1. Perform and document a security risk assessment (45 CFR 164.308)
  2. Implement specified physical, administrative and technical safeguards to protect ePHI (45 CFR 164.300)
  3. Report security incidents and privacy breaches to the Covered Entity (45 CFR 164.314(a), 165.410, and 164.502(e))
What is a HIPAA Security Risk Analysis?

When the Security Rule was added to HIPAA, we learned it, “identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.”

Essentially, the HIPAA security risk analysis (SRA) is meant to identify potential risks and vulnerabilities to your organization. Once the risks are identified, using NIST standards, a plan can be put in place to properly prioritize the level of risk to your organization (Likelihood x Impact = Level of Risk). Then, it is time to remediate and complete your SRA.

How often do I need to do a Security Risk Analysis?

The U.S. Department of Health & Human Services (HHS) says the risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Security Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

Per HHS, the Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. However, nearly all covered entities and business associates may perform these processes at least annually depending on circumstances of their environment.

Can we get away without performing a Security Risk Analysis?

Just like there are motorists on the road without car insurance, I’m sure there are healthcare organizations and business associates conducting business without performing their SRA. These motorists hope they don’t get pulled over or get in an accident. Comparatively speaking, everyone hopes they don’t have an employee that mistakenly clicks the wrong link in an email and creates a breach related incident.

In Summary

If you are a business associate, you are required to comply with HIPAA rules like a covered entity before signing your BAA. This is done by completing a full HIPAA security risk analysis which should be updated at least every 3 years, or when significant changes happen to your computing environment. It is important to always implement policies and procedures that satisfy HIPAA compliance.

It’s good for your organization and those with whom you do business and can save millions in an audit.

HIPAA Compliance for Microsoft Office 365

Organizations in every industry are upgrading to Microsoft Office 365 to improve security. A common concern among healthcare professionals is that using Office 365 and Microsoft Teams exposes an organization to HIPAA violations. If Office 365 is … [Continue reading]

HHS SRA Tool Version 3.0 – The Good, Bad and Ugly

Good Bad Ugly Blog Image

Earlier this month, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT). We have been following the development of this toolkit since … [Continue reading]

Cloud Email Phishing Attacks: A Practical Guide

Email Phishing Blog Image Ed

Attention CIOs, CISOs and IT Administrators! A quick review of the HHS Breaches Over 500 list paints a pretty grim picture of the number of breaches affecting 500 or more individuals. Breaches have been steadily increasing and the culprit is clear: … [Continue reading]

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits … [Continue reading]

Healthcare Continues to Dominate Breach Related Costs

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records. Across the … [Continue reading]

Similar but Different: Gap Assessment vs Risk Analysis

If you've heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how … [Continue reading]

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft. On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR … [Continue reading]

GDPR and the Impact on U.S. Healthcare Providers

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand … [Continue reading]

Cloud Security in Healthcare

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the '70's, playing Nintendo in the '80's or watching stock market go up and down … [Continue reading]