As a business owner, you know there are a lot of elements that go into running a successful healthcare practice. It’s common to have third-party companies assist with everything from accounting, to document disposal, to managing remote operations through cloud sharing and telehealth services. These vendors may be a big part of keeping your practice running smoothly. While you may already do a fantastic job of checking your contracts with these vendors – your terms of service, payments, etc. – where many practices fall short is in reviewing your vendor’s obligations to protect your sensitive patient information.
As a healthcare provider, your practice functions as a covered entity, and any vendor that comes into contact with PHI in the process of working with your practice becomes a Business Associate (BA). Not all companies that your practice hires come into contact with PHI, so how do you know who exactly qualifies as a Business Associate? The HHS defines a Business Associate as any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Some examples of Business Associates include:
- A third-party administrator that assists a health plan with claims processing
- A medical billing company
- Your EHR/PM company
- An attorney whose legal services involve access to protected health information
- A shredding company
- An email encryption provider
- IT professionals
- And more!
Once you determine who is considered a Business Associate to your practice, you must then institute formal agreements to ensure your practice and your third-party vendors are properly protecting the security of your patient information. This agreement highlights the specific elements of HIPAA compliance that should be followed by both you and each of your Business Associates, including:
- Safeguarding PHI. This means the Business Associate is agreeing to implement all administrative, technical, and physical safeguards required to secure PHI and maintain compliance.
- Completing BA Employee Training. Just like all employees within your practice should be properly trained on HIPAA compliance, so should your Business Associate’s employees.
- Breach Notifications. We hope it never happens, but in the event that a breach does occur, the Business Associate must notify your practice immediately. It’s important that your practice is made aware as soon as possible so that you and your BA can complete required breach notifications within the correct time frame.
- Proper Disposal of PHI. If you decide to part ways with your Business Associate, you need to have the proper agreement in place to ensure the business associate will return and/or properly dispose of any PHI they have received from your practice.
Even if a vendor comes into contact with your PHI only once, it’s better to play it safe and have the proper agreements in place – just that one instance could be the catalyst for a breach of PHI.
Not having the proper Business Associate agreements in place has been the cause of hundreds of HIPAA violations. One case, in particular, cost a medical practice in Utah a $100,000 settlement on top of a two-year corrective action plan. The practice filed a complaint against their EHR company who allegedly had been blocking access to patients’ ePHI. Although it might seem like the practice was a victim in this situation, the OCR found that there was no Business Associate Agreement in place – leaving the liability solely on the practice’s shoulders.
Data breaches, cyber-attacks, and improper handling of PHI can happen to your practice at any time as well as the companies you work with – especially when operating remotely or bringing on new vendors to help manage operations. Ensuring that you have the proper agreements in place is vital in not only protecting your patient data but offsetting the liability of your practice in the case of a breach. A software solution like Abyde makes this process a whole lot easier with a Business Associate Portal that automatically generates formal agreements with all the proper policies and procedures in place – taking the stress of HIPAA compliance off you and your vendors.