For most providers, it is tempting to forget about the work our business associates ("BAs") do once they sign that Business Associate Agreement. But the breaches of BAs can cause sizable headaches for the covered entities involved.
For example, multiple health care providers are researching a potential HIPAA breach caused by a business associate, a medical billing company. One hospital notified 1,100 ER patients that their PHI may have been compromised by an employee of the billing company. Law enforcement detected that this employee copied patient data and gave it to a third party.
While the BA caused the breach, who do you think the patients will view as responsible? The billing company they have never heard of--or the hospital who passed on their PHI?
"Out of sight, out of mind" is a risky approach to managing BAs.
In the dark about your BAs? Turn the light on with these simple steps:
- Choose wisely. Before you turn over your PHI to a vendor or contractor, ask them about their HIPAA security protections. The Security Officer should be involved in the contracting process.
- Sign on the dotted line. All BAs should have a signed business associate agreement. HIPAA requirements for BAs changed in 2013. If your BAAs haven't been updated since then, they are outdated.
- Check in. That BAA requires the BA to do lots of things, but how do you know they are happening? Check in with your BAs periodically to find out what steps they are taking to protect your organization's PHI. Remember--this affects YOUR patients, so an inquiry is entirely reasonable.
- Don't take it from me. The Office of Civil Rights has an FAQ section with helpful tips for managing BAs.