Healthcare organizations can give third-parties (“business associates”) access to patient data, including an independent medical transcriptionist hired by a physician, outsourced claims services, a consultant, or a CPA firm whose services require access to protected patient information. 
HIPPA regulations state that you must enter into a contract with these third parties in which they agree to protect the data. Building a systematic way to distribute and collect these contracts, or Business Associate Agreements, should be an essential part of any vendor risk management strategy.
Not doing so exposes your organization to a huge amount of liability, as the government puts the burden for protecting patient data on healthcare organizations.
HIPAA Explained
Any identifiable health records are protected under HIPAA. This includes:
-
Medical Records prepared by nurses, doctors, etc.
-
Anything discussed between a patient and provider related to treatment or care
-
Information collected in health insurer’s systems
-
Billing information stored and collected by providers
-
Other health information stored by organizations required to follow HIPAA
Patients are protected by HIPAA privacy rules in the following ways:
-
Patients may ask to see all medial records
-
Patients may have health records corrected
-
Patients may request and receive information about how their health records are used and/or shared
-
Patients may decide how their information is shared for certain purposes (i.e. for marketing)
-
Patients may have access to information about when or where their information was shared
-
Patients may file a complaint if they believe their information has been misused or compromised
Health Plans, the majority of Healthcare Providers, Healthcare Clearing Houses, and any Business Associates of such organizations are all required to follow HIPAA privacy rules. This means that any identifiable health data must be protected as outlined in HIPAA. There are also organizations who collect identifiable health data who are NOT required to follow HIPAA rules, such as life insurance companies, employers, and certain state agencies, for example.
Business Associate Agreements
A Business Associate Agreement is a legal document which allows third party “business associates” access to patient data, given they agree to proper usage and protection of the data. The HHS website offers details on the required components of a Business Associate Agreement.
In order to manage risk associated with vendors who have access to HIPAA protected information, it is essential to systematically administer and collect Business Associate Agreements. Providers must also have an easy way to manage and audit these agreements, which is no easy task for a hospital system. Often times, these systems maintain a decentralized structure, and leave it up to the individual hospitals to collect and manage these types of agreements. This exposes the system to a huge amount of risk if they do not have a centralized database that gives them the ability to audit each hospital’s agreements.
Does your organization’s vendor risk management strategy include a collection and management process for Business Associate Agreements? Is it easy to audit? What improvements could you make to your system?
You might also enjoy:
5 Steps to Ensure Vendor Compliance
4 Misconceptions about Vendor Monitoring and OIG Exclusions
The cure to vendor procurement fraud
Onboarding Employees – Ensuring a compliant culture
