The Art of the Possible: Risk-Based Compliance for Business Associates


businessman hand stop dominoes continuous toppled

Mahmood_Sher-JanBy Mahmood Sher-Jan, CHPC, EVP and GM RADAR business unit, ID Experts

This is part 2 of a 3-part series on healthcare business associates risks. The first part is Business Associates 101: Are a Business Associate? 

If you do business with healthcare covered entities in any capacity that involves accessing, processing or maintaining identifiable personal information on patients, chances are that you’re considered a “business associate” or “BA” under the Final Rule of HIPAA, the Health Information Portability and Accountability Act. (If you’re not sure whether you’re a BA, check out the first article in this series to find out.) This means that the government now holds you responsible for maintaining compliance with HIPAA security and most of the HIPAA privacy regulations, and even if the government never comes knocking to check on your compliance programs, the healthcare companies (HIPAA “covered entities” or “CEs”) with whom you do business are going to check because the federal government, state regulators, and their patients may hold them responsible, especially if there is a data breach. In fact, according to the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute, 87 percent of BAs experienced security incidents over the past two years while 42 percent did not perform federally mandated security incident risk assessments.

The question for many BAs is how to achieve compliance using a risk-based approach. Compliance can be complex and involve both regulatory and contractual obligations for BAs. The Final Rule went into full effect in 2014, while state data protection laws are evolving and becoming more stringent.  Did you know that 41 of 47 states with breach laws require a risk of harm analysis to determine whether consumers will be harmed by a data security incident? And that 25 states and Puerto Rico require that a state attorney general or state agency be notified; while in eight states breach notification laws are triggered by unauthorized disclosure of either electronic or paper records? And then there’s case law around data breaches, which is also evolving rapidly. At this time, 14 states (plus the District of Columbia, Puerto Rico, and the Virgin Islands) allow a private cause of action (read “lawsuit”) for harm allegedly caused by a breach of personal information. When those situations arise, being able to prove compliance can be your best defense.

As a BA you are expected to comply with this complex web of regulatory requirements and client specific contractual requirements, you need a risk-based approach to compliance.  The reality is that 100 percent compliance is unrealistic for most healthcare entities.  You need board and C-level buy-in to have a realistic chance at success given the current state of data security and privacy in healthcare. If you don’t have a mature risk-based privacy and security program,  you need to develop a framework for prioritizing your risks and associated impact level. You need to track and analyze the implications from the evolving data protection regulations. You’re supposed to designate privacy and security officials, have training in place for your workforce, security monitoring and audits, incident response plans in place, and more. You need to do this, not only for compliance but also to protect your business relationships with your healthcare clients. How do you manage?

The short answer is to find out what’s critical and what’s possible. Look first at your business associate agreements (BAAs). What do the CEs you work with expect of you? If they are audited by the government or face a possible data breach, you need to be able to show that you’re meeting the terms of your agreement. If you aren’t and you can’t resolve the security issues, the Final Rule requires them to terminate their business agreement with you. Next, conduct a risk analysis and see where you are most vulnerable to loss or exposure of protected health information (PHI).  Assume that you will experience a breach so make sure you have an incident response plan and a compliant multi-factor incident risk assessment process. There are tools available to help you with the risk analysis and incident risk assessment processes. You should spend your privacy and security budget addressing most critical gaps first, and then expand your programs as budget allows. Third, identify experts who can support you in case you are facing an inquiry, a security incident, or a breach situation. These services can save you lost revenue or other penalties. As a rule, if you do your research, compliance is possible, and it is less expensive than the consequences of being non-compliant or unprepared when security incidents happen.

[bctt tweet=”The Art of the Possible: Risk-Based Compliance for Business Associates @msherjan” via=”no”]