Protected health information (PHI) under threat According to the Office of Civil Rights, cyber-security threats and attacks are at an all-time high. They cite that 73% of HIPAA breaches are a result of hacking or IT related incidents.
So it is more important than ever to understand the language in your business associate agreements (BAAs). A business associate agreement establishes a legally binding relationship between a HIPAA-covered entity an organization that the group health plan is contracting with to provide a service the ground rules to ensure the protection of PHI.
The reality is when a breach or any other kind of security incident happens, is at risk for whatever was declared in the BAA. In many ways, a BAA is a mechanism for transferring risk (and thus liability) from one entity to another and so it is important to have up-to-date BAAs and to maintain an inventory of current business associates. This is an important risk management exercise.f Health and Human Services (HHS) Office for Civil Rights conducted an audit, it is possible they would request copies of and the lack of a properly executed agreement could expose the Plan Sponsor to corrective action plans and civil monetary penalties.
A wider range of associates
Who are group health plan business associates?
A business associate is a person or company who creates, receives, maintains or transmits protected health information (PHI) to perform or assist in performing a Plan function or activity. These activities include claims processing or administration, actuarial or consulting services. The “usual suspects” are typically the health insurance carrier or TPA for the medical, dental or vision plans, the Flexible Spending Account administrator, and brokers or actuaries. But if you really consider the definition of a business associate you will soon find the inventory goes well beyond this relatively small list.
When thinking of those individuals or companies that might potentially have access to PHI during the course of their work on behalf of the plan, you have to think outside the box a bit and consider the flow of PHI within your organization.
Some common, but often not considered, business associates include legal counsel, auditors, billing companies and accountants, copier/printer/scanner vendors, IT contractors, answering services, external benefit call centers, shredding service providers, offsite storage providers, cloud storage services, email encryption services, and web hosts. Every organization will be a little different and so it is important to review your processes, policies and procedures periodically and consider if you have accounted for all your business associates.
Staying diligent
Of equal importance is the need to perform due diligence on your vendor partners, ensuring that each business associate has current and comprehensive privacy and security policies and procedures in place, that they perform regular HIPAA-specific risk analyses, and train their employees on the HIPAA rules and best practices in handling PHI.
Finally, when you consider that there are many things outside of the control of the Plan Sponsor, taking the time to evaluate business associate relationships and negotiating appropriate terms for the handling of protected health information and, when an issue or breach arises, the roles and responsibilities of each of the parties, will serve everyone’s best interest.
When initiating contracts with new vendors, renegotiating terms with existing ones, remember to review the terms of your BAA and do not forget to consider non-traditional business associates when doing so.
The usual suspects are of course important, but it may be the ones that are left unconsidered which leave you exposed.