Now that vendors are accountable under HIPAA, you could face increased liability if these business associates are responsible for patient privacy breaches. The Office for Civil Rights (OCR) handed down its first major fine against a business associate this year. Catholic Health Services of the Archdiocese of Philadelphia, which provides management services to nursing homes, was fined $650,000 after an employee’s mobile phone containing protected health information (PHI) was stolen in 2014.
OCR’s investigation into the incident found the device was unencrypted and had no password protection. Catholic Health Services also lacked a risk analysis had no risk management plan in place regarding breach mitigation.
In this instance, the investigation and fines were limited to the vendor. As business associates are increasingly scrutinized, however, providers may become more susceptible to OCR audits or patient lawsuits. Here’s how to shield yourself from problems.
Consider the chain of business associates
It’s challenging enough to keep your own staff in check when it comes to HIPAA compliance. Making sure your business associates are complying may seem nearly impossible. But you need to consider your liability.
Mark Dietrich, an accountant who specializes in health care valuation and lectures on HIPAA issues, recently had a physician’s external billing company send him 5,000 lines of patient information through his web-based data exchange. He deleted the information and informed the client what had happened. Not all providers, however, are lucky enough to experience this kind of scenario.
“Doctors have to be aware that their business associates may have business associates as well,” he said. “It’s not difficult to envision circumstance where the business associate of a doctor loses patient information and that becomes an issue for the doctor.”
Ask the right questions of vendors
It’s no longer sufficient to send out blanket business associate agreements, cross your fingers, and hope for the best. You may not have time to vet each vendor, but you should be able to create a questionnaire that will provide enough information to gauge business associates’ compliance level.
“Business associates are calling constantly now, losing clients or not getting new ones because doctors are asking more of them than they used to,” said Brian L Tuttle, senior compliance consultant with InHealth Professional Solutions in Atlanta.
If you can’t send them to everyone, focus on higher-risk vendors like billing, transcriptionists and IT providers. Tuttle recommends a list of no more than about 25 questions hitting the highlights of HIPAA compliance. This can include the following:
- Their risk analysis plan (and request to see it)
- Their IT practices
- Server maintenance and backup information
- If they use personal devices for PHI
- The physical security of the business
- Password policies
- If they do background checks on employees
- If staff is trained
- Disclosure policies
- If they encrypt devices
- A breach mitigation plan
Tuttle is currently working on a case where a vendor used the same username and password for all of its employees in the system. Because of this, they were breached. Patients have brought a class-action lawsuit against the provider because they were aware of, and allowed, the password issue.
Doing some vetting of vendors and having them sign off on your list can help take some responsibility off of your office should this kind of problem occur.
“What this does is, if there is a nasty breach, you can prove to OCR or in court that you have done reasonable and appropriate due diligence above and beyond a business associate agreement,” Tuttle said.
Check in regularly
You should be performing an annual risk assessment internally and it may be wise to do a yearly audit of business associates as well.
Tuttle recommends checking in with vendors to make sure nothing has changed on their end – like moving servers, changing passwords, updating policies or procedures, etc. This could be done through a phone call or another questionnaire.
“This can be hard to manage to a degree, but if you can get something in writing it shows that you are doing your due diligence,” Tuttle said.
Ensure privacy even after the contract expires
When your contract with a vendor expires, it doesn’t necessarily mean their responsibility with your records has ended. They have to manage the destruction or return of your PHI. And don’t take for granted they are doing this correctly.
In 2015, a suit was filed by the Illinois attorney general after FileFax allegedly discarded more than 1,000 pounds of documents by shredding and putting them in an unlocked dumpster. It wasn’t until the organization tried to recycle the documents that it was discovered and reported.
You need to put measures in place to be sure this happens correctly to reduce your liability. This process could include sending a form to businesses requesting information on the destruction or return of the PHI at the end of their contract. If they can’t destroy the information, they need to put in writing how it will be maintained.
It is crucial to follow these steps to prove that your office is being proactive instead of reactive with business associates, Tuttle said. You not only have to look at privacy and security from a HIPAA perspective, but also through the eyes of the court. If you have documentation showing you vetted and audited your vendors that will help pacify OCR and act as your best legal defense.