Are Your Business Partners HIPAA Healthy?
by Donna Koger, 7.5.18
According to the Omnibus Rule of 2013, “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate [BA] that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.”
How do you know if your business partners are HIPAA compliant and that they are safeguarding YOUR PHI? It is the responsibility of the Covered Entity (you) to be sure anyone accessing your data is in full compliance.
The HHS.GOV website states that, “If a breach of unsecured protected health information occurs at or by a business associate,the business associate must notify the covered entity following the discovery of the breach.” So who is ultimately responsible for the breach, the Covered Entity or the Business Associate? The answer in most cases is BOTH. Whether compromised from within your system or the system of a business associate, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. And that’s just HHS penalties. That doesn’t include civil action, cost of mitigation, and loss of patient trust.
So how can you be safe?
The HHS makes it clear that covered entities must ‘obtain satisfactory assurance’ that each BA safeguards the patient data it receives or creates on behalf of the covered entity. That means covered entities must put forth a good faith effort to assist their business associates in achieving HIPAA compliance.
When you have a Business Associate Agreement (BAA) with your partners, it should specifically state that the partner is responsible for any breaches of your PHI and that they should be fully HIPAA compliant in their dealings with your organization. To be sure YOUR organization is fully compliant, have you . . .
- Identified all Business Associates?
- Obtained Business Associate Agreements with all Business Associates?
- Audited your Business Associates to ensure that they are HIPAA compliant?
- Set up reporting documentation to prove your due diligence?
Don’t reinvent the wheel, check out BAA templates available on the internet. HHS.gov offers good advice on preparing BAA documents here: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html