Privacy & Security

How to succeed as a HIPAA business associate

BAs' average cost from a data breach is $1 million
By Rick Kam
June 23, 2015
11:10 AM

Today, everyone involved in the healthcare industry, even remotely, needs to know their responsibilities regarding data privacy and security, because everyone is potentially held accountable by customers, regulators, the courts, and their business partners. Under the HIPAA Final Rule, business associates of healthcare organizations – known as "covered entities" or "CEs" – are being held responsible for following privacy regulations and facing fines if they don't.

BAs are now being audited by the Department of Health and Human Services' Office for Civil Rights, and the 5th Annual Benchmark Study on Privacy & Security of Healthcare Data from Ponemon Institute found that business associates' average cost from a data breach is $1 million. So no matter the size of your business or how far removed you are from the front lines of medical care, you must know your responsibilities and how to handle protected healthcare information.

The importance of a business associate agreement
As a BA, you have direct obligations to federal regulators to follow the Privacy, Security and Breach Notification Rules of the HITECH Act and the HIPPA Final Rule. Your BA agreement clarifies areas where you have to work with your client (the covered entity) under certain circumstances, most specifically, breach notification. If you discover an incident that you think is a data breach, you're obligated to notify your client. Your BAA likely outlines the requirements, such as the timeframe for this notification, the content of breach and patient notifications, and who would bear the costs if your organization caused the breach.

As of Sept. 22, 2014, all CEs were required to have these contracts in place with all of their BAs, and that is one of the things that OCR will be checking as it does audits of randomly chosen healthcare organizations over the next few years. In fact, the law now requires that subcontractors with whom BAs share PHI must also have agreements, so there could be a web of agreements between CEs and BAs, between BAs and their subcontractors, and sometimes between the subcontractors themselves.

A special security contract may sound intimidating to a BA that is a mid-sized or smaller business, but having a BA agreement in place is actually a win-win.

First, it spells out what the business associate needs to do in order to comply with the HIPAA requirements, and the contracting process may trigger discussions or reviews that lead to improved data security and help prevent future data breaches.

Second, knowing exactly what is expected helps a BA maintain a good business relationship with valued customers. If a CE knows of a breach or violation by a BA, the CE is required to take reasonable steps to remediate the breach or end the violation. If that doesn't happen, they must end the contract. In case a breach does happen, if the BA has been following the terms of the contract, it may help the organization avoid fines for non-compliance and protect itself in case of legal action by its business partner or by the patients affected by the breach.

How to be a successful business associate
HIPAA (and your BA agreements) will require your organization to put in place three kinds of safeguards for PHI:

  • Administrative. This includes doing a risk analysis to understand what kinds of PHI you have, how you use it, where it could be vulnerable, and what the impact could be if it were lost, stolen, or exposed. Based on a risk analysis, you will develop policies and procedures to protect that PHI and to outline your response in case of a breach or suspected breach.
  • Technical. These are safeguards built into your IT systems and procedures—even the ones you may have outsourced to another vendor such as an application services or network services provider. (Remember that the safeguards may include BA agreements between you and those providers.)
  • Physical. These include measures such as limiting access to your facilities, systems, and data storage areas to authorized personnel, having security policies for use of laptops and mobile devices; and making sure that materials are recovered and access is taken away when someone leaves your organization.

If you are a small or mid-sized organization, as are many BAs, chances are you don't have data privacy or security experts on staff, and starting on all these measures may be daunting. The best place to start is with the risk analysis. The results will show you where you are most vulnerable and where to concentrate your efforts and your spending. Guided by the risks, you can address the most critical areas first and then grow your security programs as necessity dictates and as time and budget allow.

PHI security is a lot to take on, especially in this age of cyber attacks and daily breaches. While it takes resources to put BA agreements and new security and privacy procedures in place, in the end, they will benefit your business, your business partners, and the patients you both serve.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Wes Cronkite of TruBridge on AI
AI & ML Intelligence
Highlighting rural voices is imperative for equitable, bias-free healthcare AI

Most Read

Change Healthcare cyberattack still impacting pharmacies, as H-ISAC issues alert
OCR settles its 2nd ransomware investigation, probably not the last
NIST updates Cybersecurity Framework with Version 2.0
HSCC publishes 5-year healthcare cybersecurity strategic plan
Healthcare is the big victim of Blackcat's cyber counteroffensive
A sense of urgency at the Healthcare Cybersecurity Forum

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Artificial Intelligence
Analytics
Analytics

More Stories

Dr. Monika Sonu at Healthinnovation Toolbox_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How to build digital health tools with the clinician in mind
Healthcare data exchange
ONC pubs Common Agreement v2.0, with regs for FHIR exchange
Female nurse in grey scrubs on rests on a couch with her head back
Take these steps to reduce unproductive charting for nurses, says KLAS
Prevounce Founder Daniel Tashnek on RPM coding
New codes from the AMA could mean more RPM reimbursement by 2025
Person at a desk with a laptop crunches numbers on a calculator
Small medical practices will close because of Change cyberattack, says AMA
MaryAnn Connor at Memorial Sloan Kettering Cancer Center_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Care problems become technology systems via nurse informaticists
Person talking to a doctor on a tablet screen
Patient concerns in healthcare digitalisation: Rising inequalities
Mount Elizabeth Novena Hospital under Parkway Hospitals, part of the IHH Healthcare Group
IHH Healthcare migrates Malaysia, S'pore database...