A business associate (BA) is an individual or organization that uses a covered entity's (CE) protected health information in some capacity according to the Department of Health and Human Services (HHS).
In simpler terms, a BA is the partner of a healthcare company that provides services. Doctor’s don’t have enough time to do everything involved in the industry they serve.
As a result, they outsource services like statement printing and mailing to business associates to make their lives easier. Even with that, though, doctors are still burned out because they have so much on their plate.
So what does it mean to be a business associate for a healthcare organization?
For one, there’s more red-tape involved than working in other industries. You can’t just sell a service that’s going to help a practice streamline their data and leave it at that. Practices, facilities and hospitals work with protected health information (PHI). It also happens to be some of the most sensitive information on the planet.
Thus, you’re just as liable for protecting this data as much as the practice you’re providing services for as a business associate.
Providing your services to a healthcare organization is a great opportunity for you. After all, the industry should grow by 15% over the next ten years.
Before you give your sales team the green light to give demonstrations about how your services streamline processes you need to ensure that certain safeguards are in place. Luckily, we’ve made this checklist for you to help get you started.
Table of Contents
Item 1: Understand What's at Stake
Physicians, nurses, medical coders and billers all badly need your services.
After all, how are they going to stay ahead of their workload? Baby Boomers, one of the largest generations ever, are getting older and they were already bogged down before.
That’s where you come in. Whether you’re saving them time, or from a headache, what you offer is a game-changer.
Your enthusiasm is admirable and I imagine that’s one of your qualities that got you to where you are today. However, before you go any further you need to understand what you’re getting yourself into.
Here’s the harsh reality.
The HHS attributes some of the largest breaches ever reported to business associates.
All organizations run on some level of risk, there’s no denying that. But healthcare is one of the most targeted industries by cybercriminals. You’ll inherit this risk the moment you start talking with practice managers and physicians.
In 2017 alone, business associates were responsible for potentially exposing over 31 million patient records.
By working in healthcare you’re putting a target on your back. That’s not to deter you from choosing to become a business associate, instead it’s to shine a light on what you’ll need to pay attention to.
If a breach happens with your partner’s data on your watch, you’ll lose their trust. Worse, you might end up on “The Wall of Shame”. If you end up listed there it’ll be difficult to land any new healthcare clients.
Item 2: Conduct a Risk Assessment
Before you start drafting new policies for all of your employees to follow, you’re required to identify your biggest vulnerabilities.
Before 2013, HIPAA only required covered entities to conduct a risk assessment. Then the Final Omnibus Rule updated this requirement by imposing it on business associates.
A risk assessment identifies areas of your organization that may put PHI at risk.
It’s an arduous process that requires accuracy and a detailed understanding of your inner workings. It’s also something that never really ends. HIPAA requires that you update and document your security measures “as needed”. This statement alone turns risk assessments into an ongoing process.
The longer you operate while navigating HIPAA the more you’ll notice that the law leaves a lot open for interpretation. Conducting a risk assessment is one of the first things you need to do as a business associate, right away you’re faced with interpreting the law.
Luckily, you’re not the first person to want to work with healthcare organizations. There is plenty of existing information available to help you determine how often you should conduct a risk assessment.
But, you might not even have to do any research on your own since there are two different ways to conduct this type of evaluation; internally or externally.
If you choose the internal route, you’ll gain first-hand knowledge about what the HHS considers most important to protect. This knowledge, in turn, will make you an expert business associate to work with.
The HHS also provides a lot of helpful resources to help like their Security Risk Assessment Tool.
Vendors who conduct these on your behalf will tell you that outsourcing is the best way, naturally. Going the external route gives you an unbiased view of your vulnerability landscape. Internal risk assessments run the risk of producing biased results. Even if you purposely tried to stay as neutral as possible during the evaluation, it’s nearly impossible to not give yourself some leeway.
That’s where the external option shines brightest. Of course, they do cost extra.
Item 3: Implement Policies and Trainings
Deciding to be a business associate means that the way your organization currently runs is changing.
You’ll have no choice but to establish new policies that affect your employees, their workstations, their access and their use of social media while on the clock.
Becoming a business associate means that your entire workforce functions to satisfy the requirements established by HIPAA. Although it would be nice to only have to devote one specific department or group of employees toward working under the government mandates put forth, that’s not the case.
You’ll want to implement policies that are broad like making sure any visitor to your office signs in. As well as those that are more granular like requiring employees to lock their computers if they aren’t at their workstation.
Resources you used during your risk assessment (like NIST-800) and its results will also help guide you through the policies you need to implement.
Although you might be new to the wonderful world of healthcare, I imagine you’re familiar with the statement I’m about to make. Compliance requires training, there’s no way around it.
But training is another requirement listed within HIPAA that’s open to interpretation.
It’s so important that it’s mentioned in both the Privacy Rule (45 CFR §164.530) and the Security Rule (45 CFR §164.308). However, it doesn’t list specific training requirements in either reference.
Thus, you’re left on your own to figure out a training program that works best for your team. You can present the information to your staff however you want. Of course, certain methods work better than others (I recommend turning the material into a fun game).
Training isn’t an area you want to overlook, though, as your employees are your biggest risk. The more boring your program is, the less likely your staff will pay attention to it.
Item 4: Double-Check The BAA
HIPAA is one of the most encompassing laws in existence. As a result, it's easy for business associates and even healthcare providers to get confused about what is and isn’t required.
Not every place that provides a service to a practice needs to sign a business associate agreement (BAA). A BAA is a law-binding contract that defines liability with a vendor.
If the services you’re providing don’t “create, receive, maintain, or transmit PHI” then you’re not a business associate and you may provide your services to a healthcare provider without signing a BAA.
This doesn’t mean you should try to convince yourself that you’re not a business associate if indeed you are.
However, there is room for negotiation during the BAA process with a practice regarding…
Audit rights
Indemnity
Reporting
First, it’s important to review the audit rights you’re agreeing to when signing a BAA. Yes, you have to give access to your books and records to the Secretary of HHS under the HITECH Act. But, that doesn’t mean a covered entity needs them as well.
Second, the HHS published Sample Business Associate Agreement Provisions in 2013. Indemnity wasn’t mentioned once as a regulatory requirement to include in BAAs. As a result, you may negotiate whether to include an indemnification clause or not.
The Association of Corporate Counsel (ACC) discussed this topic. Representatives from both sides of a BAA weighed-in based on their experience and what they’ve done. The consensus was that whether to include indemnity or not depends on the amount of risk involved with the service a BA provides to a CE.
Third, pay attention to any clause that defines a breach notification time frame. By law, BA’s must let CE’s know of a breach no later than 60 days after its discovery. Some agreements may layout a more strict time frame.
If an unauthorized person gets a hold of a covered entity’s PHI through your system, you might need more time than a day to figure out what happened. However, you might violation your BAA if you signed it and it requires a notification within 24 hours. This is an area open to negotiation.
Conclusion
It’s understandable if you’re eager to start reaching out to healthcare organizations to sell your services. It’s a booming industry that’s not affected by economies and continues growing indefinitely.
But, you might have to temper your excitement a little bit to make any necessary changes to your organization.
Maybe you won’t even have to worry about negotiating and signing a BAA after you’ve done your research. If that’s the case, get cracking.
However, if what you offer ends up requiring access to PHI you’ll need to make sure that you’ve changed how your organization operates to protect that data. Otherwise, you’ll face a massive fine that could very well end up closing your doors for good.