Organizations, known as covered entities, subject to HIPAA regulations already have a difficult time preventing and detecting unauthorized access to patient information within their own organizations – now they have the added burden of managing the access of business associates.
This was the case with Meritus Health, who recently notified the Department of Health and Human Services’ Office for Civil Rights that one of their business associates had inappropriately accessed patient information. The breach was discovered by Meritus Health after conducting a routine compliance and self-audit.
The first step to managing your company business associates is to know the definition of a business associate. According to the U.S. Department of Health and Human Services, a business associate is defined as
a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Sometimes a covered entity can also be a business associate to another organization.
The following functions or activities performed for a covered entity make a person or entity a business associate:
- claims processing or administration
- data analysis, processing or administration
- utilization review
- quality assurance
- billing
- benefit management
- practice management
- repricing
Business associate services are:
- legal
- actuarial
- accounting
- consulting
- data aggregation
- management
- administrative
- accreditation
- financial
If you have vendors performing any of these functions for your organization and they also have access to protected health information (PHI) than they are considered a business associate of yours and you, as a covered entity, have some responsibilities under the Privacy Rule regarding your business associates.
Covered entities are required to obtain satisfactory assurances from its business associates that they will appropriately safeguard the protected health information (PHI) it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
The following are examples of business associates:
- A third party administrator that helps with claim processing
- A CPA or law firm that may have access to protected health information
- A consultant performing utilization reviews for a hospital
- An independent transcriptionist who provides transcription services to a physician
According to Keith Fricke, principal consultant at tw-Security, “Covered entities should assess the policies, practices, and technology investments a business associate has in order to gauge a business associate’s ability to prevent and detect inappropriate access.”
If your organization is a covered entity, then it would be in your best interest to know the policies your business associates have regarding protected health information access for both in use data containing devices, as well as those devices that may contain protected health information but are no longer being used.
Contact us if you are interested in setting up data destruction compliance plans for your business associates who have outdated and unwanted data containing devices. Outdated, unwanted, unused data containing devices could contain protected health information that could result in a breach. Setting up a compliance plan with your business associates for these devices is one way to minimize your risk of a breach. Contact us for a free consultation.