Remember they’re under the same HIPAA regulations as your practice. One of your most critical considerations when working with business associates, or BAs, is being confident that they are protecting your patients’ private information. And that means getting assurance that all BAs and vendors you partner with understand the importance of HIPAA compliance – before you share protected health information (PHI) with them. Refresher: A BA “is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of PHI that is not a part of the practice’s staff,” reminds Kent Moore, senior strategist for physician payment at the American Academy of Family Physicians. Additionally, because these BAs have access to your patients’ medical records, they are subject to HIPAA regulations and scrutiny. Remember This About BAs “HIPAA requires covered entities and business associates to obtain ‘satisfactory assurances’ that their vendors that need access to protected health information will safeguard that information appropriately,” says attorney Shannon Hartsfield, an executive partner with Holland & Knight LLP in Tallahassee, Florida. In the past, the HHS Office for Civil Rights (OCR) “has indicated that companies don’t necessarily need to do much more than obtain a written business associate agreement [BAA] from the vendor that complies with HIPAA and conduct a risk analysis,” Hartsfield adds. For example, consider the OCR guidance on cloud services providers (CSPs), Hartsfield suggests. “The HIPAA rules do not expressly require that a CSP provide documentation of its security practices or otherwise allow a customer to audit its security practices,” according to OCR. However: As part of the HIPAA Security Rule, CEs and BAs are required to “conduct an ‘accurate and thorough’ analysis of the risks and vulnerabilities to electronic protected health information (ePHI),” Hartsfield reminds. “OCR has indicated that customers may ask vendors for ‘additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities,’” she says.
Remember: OCR has updated its guidance on the direct liability of BAs, clarifying which “party is ultimately responsible for satisfaction of various responsibilities and patient rights,” explains HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Where the BA is not responsible, the hiring entity is.” Consider asking your BAs these questions to test their understanding of HIPAA compliance before you add them to the payroll: Resource: Review OCR guidance on BAs at www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.