HIPAA Regulatory Alert

BA 'must haves' for privacy, security

Agreements spell out CEs' expectations

A hospital privacy and security compliance officer knows exactly what policies and programs within the organization are designed to protect patient information (PHI), but what should be expected of a business associate (BA)?

Cyber insurance coverage is one item that all BAs should have, recommends Andrew Martin, an attorney with Scott & Scott, an intellectual and technology law firm in Southlake, TX. "The cost is not prohibitive, especially compared to the costs associated with a breach," he says. "If a business associate refuses to obtain cyber insurance coverage to the appropriate limit for the protected health information for which they handle, the covered entity should stop negotiations."

While cyber insurance can help cover the financial aspects of a breach, it is a supplement to, not a replacement for solid privacy and security policies and procedures, Martin says. "A covered entity should also expect the ability to perform a non-intrusive audit of the business associate's policies and technology," he says.

When auditing or monitoring a business associate's program, look for the following:

• Policies that clearly define process for handling PHI.

The policies should define the flow of information, who is responsible for reporting a data breach back to the covered entity, the physical safeguards for information, and the employee training program, says Christine Leyden, RN, MSN, senior vice president of client services and chief accreditation officer at URAC, a Washington D.C.-based nonprofit accreditation, education, and quality measurement organization.

• Names of the business associate's privacy and security officials.

"Be sure you have all of their contact information, as well as contact information for the people who serve as their backup in their absence," says Leyden.

• Documentation of employee information.

Look for proof that the BA conducts background checks on new employees and that all new employees receive training on privacy and security policies and procedures, says Leyden.

"In addition to new employee training, all employees should undergo privacy and security training annually," she points out. Business associates should also include compliance with privacy and security protocols as part of an employee's annual evaluation.

• Results of periodic risk assessments.

Make sure your business associates are routinely evaluating their procedures and how they handle or update your data, suggests Leyden.

"Patients change insurance and healthcare organizations merge or change, so your business associates need to make sure they are sending information to the appropriate people," she says.

A risk assessment also should address the type and amount of data shared with the business associate, suggests Martin. Although it is easier to share entire records, the data should be restricted to only what the BA needs, he points out. If too much data is shared, the BA and covered entity should work together to identify what is needed, he adds.

Be sure that the risk assessment addresses such as the use of mobile devices and how data is destroyed when no longer needed, adds Anupam Sahai, president of eGestalt Technologies, an information security company in Santa Clara, CA.

• Use of subcontractors

If your BA will share your data with subcontractors to perform contracted tasks, verify that the BA requires the subcontractors to protect the privacy and security of PHI, says Sahai.

"Even if the data breach is the result of a business associate's action, the liability for the breach affects the covered entity because it affects the relationship between the covered entity and the individual."

Andrew Martin, Attorney