Caution needed when credentialing business associates
Credentialing of business associates is a hot topic for risk managers now, but many are wondering how far they have to go. Is it enough to ensure that your primary business associates are in compliance with the Health Insurance Portability & Accountability Act (HIPAA), or do you have to credential every one of their subcontractors down the line?
And if one of those subcontractors is responsible for a breach, does the liability stop with the business associate, or go all the way back to the provider?
Credentialing vendors and business associates is a growing industry, and it can take different forms. Many hospitals and health systems use outside services to credential vendors who need access to patient care areas, for example, but the vetting of HIPAA-defined business associates is a different matter. (For more on credentialing of vendors such as surgical sales representatives, see Healthcare Risk Management, November 2013, p. 128.)
The omnibus final HIPAA rule released in March 2013 clarified who constitutes a business associate and who is potentially liable for breaches. There was some good news regarding business associates and liability. Previously, the healthcare provider essentially had all the liability for a breach from a vendor, explains Gary Johnson, chief marketing officer at Vendormate, a credentialing service based in Atlanta.
Under the new rule, business associates and their subcontractors also own some of the liability, Johnson explains. It still is important for healthcare providers to credential their associates, he notes, and more are now including subcontractors in that process because even partial liability for a breach can be significant. (The Joint Commission recently updated its business associate agreement. See the story below for more information.)
"With the new definition of business associates, compliance officers are looking beyond the traditional obvious associates like medical transcription services because the new definition includes storage of off-site data," Johnson says. "Once you have determined that a vendor is a business associate, the law requires that you ask if that vendor has subcontractors that will receive, transmit, or store protected information from your hospital."
If the answer is yes, then you must determine what processes are in place to protect that information with the subcontractor. The HIPAA rule calls this obtaining "satisfactory assurances" that the subcontractor will protect the data.
"The hospital has to be assured that the vendor is providing satisfactory oversight of the subcontractor," Johnson says. "A lot of compliance officers are seeing that this is where the risk could be, because previously they weren’t required to ask about this, but now they are."
Many hospitals are providing questionnaires to vendors regarding the oversight of subcontractors and asking that it be answered quarterly or twice a year, he says. Some are requiring documentation of oversight audits.
"That is to protect the hospital so that if there ever is a breach of protected medical data downstream, by a subcontractor, they can show their attempt to ensure compliance," he says. "State attorneys general now have the responsibility to prosecute those breaches, and the investigation is going to go all the way back upstream to the hospital. They’re going to ask if you were aware the vendor had subcontractors and did you obtain satisfactory assurances of compliance."
Some hospitals are choosing to play it safe by credentialing the first level of subcontractors as rigorously as they vet the vendor, Johnson says.
"Compliance officers are being very demanding of the answers from the vendor regarding their oversight of subcontractors, and if they are not satisfied and feel there is a reasonable risk of a breach, some are actually defining the vendor as an agent," Johnson says. "That changes the legal relationship and allows the hospital to get involved more in their business and do much of the subcontractor oversight themselves."
Gary Johnson, Chief Marketing Officer, Vendormate, Atlanta. Telephone: (404) 949-3402. Email: gary.johnson@