Risky business gets riskier

Opinions on business associate compliance from a data security expert
By Gary Glover
12:00 AM

If you aren't interested in business associate security, maybe you should rethink your patient security strategy. According to the Department of Health and Human Services, 57 percent of patient records breached involve business associates.
Many covered entities believe that because business associates and subcontractors are now directly responsible for Health Insurance Portability and Accountability Act violations under the final rule, the covered entity has less penalty risk. In truth, consequences may actually increase. It is and always has been the covered entity's responsibility to protect patient information. Now under the HIPAA Final Rule, covered entities must also help business associates and subcontractors achieve full compliance by Sept. 23, 2013 or face serious fines.
The rule isn't merely requiring an update of business associate agreements. Like your organization, a business associate must now follow HIPAA guidelines, implement policies and procedures, and document their compliance journey. The HHS stated covered entities must "obtain satisfactory assurances" that each BA safeguards the patient data it receives or creates on behalf of the covered entity. Unfortunately, a business associate agreement doesn't tell you what data BAs access or how they protect it.
Understand that if they store, process, transmit, maintain, or access even one piece of protected health information in any form, they are required to comply fully with HIPAA privacy and security requirements. It doesn't matter if the PHI is encrypted on a server or stored in a cabinet with a triple combination lock. Be wary of BAs that try to convince you their business is exempt from HIPAA requirements, because it most likely is not.
Fines: what you don't know
HHS Office for Civil Rights Director Leon Rodriguez stated, "[HIPAA] changes...strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."
Thanks to the final rule, you are as liable as your business associates for their data breach fines. Perhaps you've seen the well-publicized HIPAA financial penalty matrix. It explains that fines associated with a patient data breach may be up to $50,000 per violation. If you read between the lines you learn that those retrospective violation penalties are enacted daily. For example, you could be fined up to $750,000 for a single data breach violation that occurred 15 days ago. Fines add up fast, especially considering HHS has the clearance to fine an organization 1.5 million per violation, per year.
Where to begin
It's crucial for your organization's reputation that your BAs' security stands firm against an audit or data breach investigation. You may have a number of BAs, but it's not difficult to develop a customized mass compliance program. In fact, it's crucial to ensure BAs are compliant as soon as possible, because if they refuse, you need time to replace them.
One covered entity's plan
Here's how one healthcare entity jumpstarted its business associate compliance.
As you wouldn't eat an entire elephant in one bite, the same goes with demanding business associates' compliance fulfillment. The healthcare entity determined how much liability each BA held through a quick scoping survey that identified and categorized individual risk levels. Examples of survey questions included, "What is the overall quantity of data records with which you interact annually?" and, "Do you use or plan to use offshore resources to carry any part of your services?" Through this quick risk snapshot, the organization was able to discover which BAs put them at highest risk, and to whom they would eventually require proof of a risk analysis and HIPAA compliance measures.
You can do it
From the perspective of someone who has worked in the data security and compliance space for more than 10 years, this will take a significant amount of time, effort, and technology expertise. Even HHS stated that "doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional." If you decide to partner with a HIPAA compliance expert, find one as dedicated as you are to ensure success.