avatar Jeremy Henley, Director of Breach Services June 22, 2015 Compliance and Risk | Data Breach Notification | Legal and Regulatory Subscribe to the ID Experts Blog
Back to blog

The Art of the Possible: Business Associate Compliance and Cost

This blog is part 2 of a 3 part exploration on healthcare business associates risks. For more read HIPAA Business Associate 101: A Primer and Risk By Association: Business Associates Face High Stakes in Healthcare Data Security

If you do business with the healthcare industry in any capacity that involves identifiable personal information on patients, chances are that you’re considered a “business associate” or “BA” under the Final Rule of HIPAA, the Health Information Portability and Accountability Act. (And if you’re not sure whether you’re a BA, check out the first article in this series to find out.) That means that the government now holds you responsible for maintaining compliance with HIPAA security regulations, and even if the government never comes knocking to check on your security programs, the healthcare companies (HIPAA “covered entities” or “CEs”) with whom you do business are going to check because the federal government, individual states, and their patients may hold them responsible if you’re not, especially if there is a data breach. In fact, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute, 87 percent of BAs experienced security incidents over the past two years while 42 percent did not perform federally mandated security incident risk assessments.

Case Study: Best Practices for Responding to a Patient Data Privacy Incident Involving Multiple Covered Entity Clients

The question for many BAs is how to achieve compliance in an affordable way. Compliance can be complex. The Final Rule went into full effect last year, but federal policies and regulations are still evolving. The Secretary of Health and Human Services will issue guidance annually on appropriate technical safeguards for information security, so compliance will be a moving target for years to come. On top of that, there is a whole web of state regulations that you need to comply with. Did you know that 41 states require a “risk of harm” analysis to determine whether consumers will be harmed by a data security incident? And 21 states and Puerto Rico require that the state Attorney General be notified; while in seven states medical privacy statutes are triggered by an exposure of either electronic or paper records. And then there’s case law around data breaches, which is also evolving rapidly. At this point, 14 states (plus the District of Columbia and most U.S. territories) allow individuals to bring a private “cause of action” (read “lawsuit”) for harm allegedly caused through a breach of personal information. When those situations arise, being able to prove compliance can be your best defense.

If you, like many BAs, are a mid-sized business, how are you supposed to comply with this complex web of requirements? You probably don’t have an in-house legal expert who can track all of this, and you may not have any staff members dedicated full time to privacy programs, and now you’re supposed to have privacy and security training in place for your workforce, security monitoring and audits, incident response plans in place, and more. You need to do this, not only for compliance but also to protect your business relationships with healthcare organizations. How are you supposed to manage?

The short answer is to find out what’s critical and what’s possible. Look first at your business associate agreements (BAAs). What do the CEs you work with expect of you? If they are audited by the government or face a possible data breach, you need to be able to show that you’re meeting the terms of the agreement. If you aren’t and you can’t resolve the security issues, the Final Rule requires them to terminate their business agreement with you. Next, conduct a risk analysis and see where you are most vulnerable to loss or exposure of protected health information (PHI). There are tools available to help you with the process, and based on that analysis, you can spend your security budget addressing most critical gaps, and then expand your security programs as budget allows. Third, identify experts who can support you in case you are facing an inquiry, a security incident, or a breach situation. These services can save you lost revenue or other penalties. As a rule, if you do your research, compliance is possible, and it is less expensive than the consequences of being non-compliant or unprepared when security incidents happen.

 

This blog is part 2 of a 3 part exploration on healthcare business associates risks. For more read HIPAA Business Associate 101: A Primer and Risk By Association: Business Associates Face High Stakes in Healthcare Data Security

Case Study: Best Practices for Responding to a Patient Data Privacy Incident Involving Multiple Covered Entity Clients

Back to blog