By John Gagnon, BSSEC/ACS, and Cheryl Martin, MA, RHIA
When it comes to business associate agreements (BAAs), who is ultimately responsible for keeping track of the business associates (BAs)? The organization’s administration? Health information management (HIM) staff? Compliance? IT? Legal? Also, who has the master list and who confirms there is a signed agreement for every entity accessing protected health information (PHI) within your system?
HIM professionals have historically handled matters of privacy, and it is important that those handling privacy issues have a strong grasp of related security requirements, possible digital solutions, and additional responsibilities that require ownership. HIM professionals should expect and seek out larger security roles in the management of electronic health records (EHRs) that will require an increased focus on their technical skillset and knowledge.
Having ultimate responsibility for patient information, HIM professionals need to be knowledgeable about—and involved in—all systems and processes pertaining to EHR access and the PHI they contain. They must be familiar with the requirements surrounding outside entities that request access to PHI to perform their duties. Most services within the healthcare sector can be purchased through specialized vendors, including billing services, anesthesia services, emergency department physician services, coding services, and transcription services. A covered entity often elects this option because vendors can perform certain functions less expensively than the covered entity.
But there are important considerations beyond just cost. Healthcare organizations that choose to leverage outside vendors for services that require access to PHI increase their risk of a breach. If the functions or activities that the vendors perform involve the use or disclosure of PHI, they may be considered BAs, according to the HIPAA Privacy Rule. This classification requires the covered entity to obtain “satisfactory assurances” that the business associate (vendor) will appropriately safeguard the PHI. Such assurances are generally maintained through a BAA.
A strong and comprehensive BA relationship management function is one of the best defenses against breaches within organizations that handle PHI. Unfortunately, many organizations handle this function inconsistently across departments and individuals or have no oversight whatsoever. BA relationship management must be a designated responsibility in any organization with BAs.
According to the US Department of Health and Human Services (HHS), there were 148 reported “hacking/IT incident” breaches from January 1 through August 31, 2019, totaling 8,452,075 individual records. Of the 148 reported breaches, 47 involved a BA.1
The HITECH Act of 2009 expanded the responsibilities of BAs under the HIPAA Security Rule, requiring them to ensure proper administrative, physical, and technical safeguards are in place to secure the PHI being accessed.
On May 24, 2019, the HHS Office for Civil Rights (OCR) released a fact sheet2 listing the provisions through which a BA can be held directly liable for compliance with requirements of the HIPAA rules, including the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule, and HIPAA Enforcement Rules.
The fact sheet clarifies 10 HIPAA requirements and prohibition violations for which OCR has the authority to take enforcement action against BAs. The full list is available online at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html. Some of these actionable offenses include:
- Failure to provide the HHS Secretary with records and compliance reports
- Retaliatory action against individuals filing a HIPAA complaint
- Failure to comply with the Security Rule requirements
- Failure to provide breach notification to a covered entity or another BA
- Impermissible uses and disclosures of PHI
The BAA is the appropriate means to articulate the permitted use of PHI and ensure a BA’s compliance with HIPAA. A “life cycle” approach is recommended to ensure compliance during the contract process. Pre-contract due diligence should include a security questionnaire to the BA and include proof that the BA has completed a current and proper security risk assessment (a BA requirement as of September 23, 2013, per the HIPAA Omnibus Rule). Post-contract controls should articulate how contract compliance will be monitored and include event management procedures. Lastly, the contract should include termination processes and procedures.
Assessing the Organization’s Current State
What is the best way to assess the current state of your organization? How do you find out if there are BAAs in place for all entities currently accessing your PHI? This is a daunting task, especially for large and complex organizations, where there is a greater probability of entities accessing the organization’s PHI without current BAAs on file. The first order of business is the identification of all systems containing PHI, which can be more complex than expected. USB drives, copiers, fax machines, scanners, medical equipment such as CT scanners, legacy system servers, and employee cell phones used to message clients all may be storing PHI. It is important to identify and inventory all entities that access the systems containing PHI and to work closely with IT staff and system administrators of the identified systems.
To ensure compliance, follow these steps:
- Evaluate who is and who is not a BA (include BA subcontractors).
- Check to see if a current BAA is on file for each BA.
- Update all BA contracts if not compliant with current HIPAA rules.
- Review each existing contract carefully, paying close attention to what services the contractor or subcontractors are providing and what specific data they need access to in order to provide that service. If there has been no formal review process in place for your BAAs, be on the lookout for the following, considering the possibility that access can be set to “minimum necessary” while still allowing the BA to provide the services in the contract:
- The provisioning capabilities in the systems to which the BA has access may have improved, allowing stratification of access to the smallest common denominator. In other words, the filtering capabilities have gotten better. Minimum necessary should be at the top of the list for granting access.
- The request for access was directed straight to the information systems department with no further explanation except that this vendor needed access to patients in a particular system. It is not uncommon for requests from an employee within the covered entity to be sent to system administrators in IT, who then do exactly what they are asked.
- A generic username and password were granted to the vendor rather than a unique username and password for each person accessing the system. It is not uncommon for both vendors and the covered entity to claim it is too much work to give everyone who might access the system their own username and password.
- Keep track of individual contract dates and formally assign a person to manage the process and annually review each contract.
- Ensure that contracts stipulate in writing that subcontractors will agree to the same data use controls.
Healthcare organizations and BAs both must follow sound information security practices because the liability for a breach can impact both entities. Part of BA relationship management is the consideration of the BA’s information security practices, policies, and procedures in relationship to the practices, policies, and procedures within your own organization, sometimes referred to as an “information security posture.” As stated earlier, proof of a completed security risk analysis from a BAA has been required since 2013, but many organizations now require additional evidence reflecting due diligence and compliance with the requirements from potential BAs. Copies of policies and procedures, screenshots of items such as firewall configurations, and proof of encryption are now being required by some organizations before a covered entity will sign an agreement and authorize access to PHI. These added requirements are good practices to put into place for all BAA contracts going forward and protect the covered entity, the BA, and, most importantly, the individual’s right to privacy and security.
Consideration might also be given to decreasing the amount of time the BA has to inform you of a potential or actual breach. Currently, a BA has 60 days from the time it discovers the occurrence until it must let the covered entity know what has happened. Since the covered entity is providing access to the PHI, which may or may not have been breached, it seems prudent to require any BA to notify you immediately of any potential or actual occurrence.
Risk Assessments are Imperative
The healthcare organization and the BA must conform regulatory requirements that specifically address the confidentiality, integrity, and availability of PHI as well as personally identifiable information (PII). The protection requirements can extend to any and all systems, processes, and workflows involved with the transmission, storage, and processing of PHI and personally identifiable information.
The first step toward compliance typically is to perform a security assessment on a scheduled basis that encompasses all information systems, processes, and workflows on an annual basis. In addition, assessments should be done when implementing a new system or replacing or sunsetting an existing system. The scope of such assessments should include the supporting “systems” of the new, replaced, or sunset system. Auditors will not only want to see proof of these assessments, but they will also want to see the remediation plans for any deficiencies or issues identified in the assessment. While many organizations perform annual assessments, the remediation work required to address findings is often extensive and time consuming. The ability to show continual progress in addressing risk assessment findings is imperative. That ongoing work might take the place of an actual assessment in any given year. The next full assessment should therefore not show the need for remediation in the same areas.
The security assessments encompass the administrative, physical, and technical safeguards that are required to ensure the integrity of PHI. For the purpose of this article we will focus on the technical safeguards. These safeguards include access and audit controls (how personnel, including BAs, accessing PHI should authenticate their identity) and integrity controls (how PHI should be stored at rest to ensure it is not improperly altered or deleted).
Password management is a layer of both security and vulnerability in access and audit controls. Password-based security is the default security control most organizations employ to authenticate and authorize access to private information. In most healthcare organizations, a password combined with a username will grant access to the network, email, files, folders, and applications. The password policy is a set of instructions and guidelines that ensures the organization complies with government and industry-specific standards. This policy is authorized by the highest level of executives and should ensure compliance while still allowing staff to effectively deliver care to patients.
Potential fines related to the disclosure of PHI by negligence involving and evidenced by the lack of a password policy can be extremely damaging to the organization’s reputation and be significant enough to impact their ability to continue operations. The 2015 Anthem breach, which compromised the records of close to 79 million patients, is an example. Anthem, the largest for-profit health plan in the United States, settled with HHS for $16 million for the breach. Anthem’s violations included a direct correlation to the organization’s passwords and password policy. The OCR investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the breach.3
Organizations and BAs need to identify potential threats at each point of the information handling workflow, considering all processes and procedures. For example, the onboarding and offboarding process of new and terminated BA users should include a workflow for communicating these changes to the individuals responsible for granting access and provisioning users. Ensuring the right people are aware of an access request from a new BAA will prevent delays in getting new vendors fully functional. Letting the same people know when a vendor has been terminated is crucial in ensuring the removal of access to PHI from those who no longer have the right to such information. Nonexistent or flawed processes in these areas leaves an organization vulnerable for unauthorized access and increases the risk of a breach exponentially. The opportunity for an organization to standardize their provisioning and deprovisioning processes is a relatively quick win for tightening up appropriate access to PHI. This communication process is an important part of BA relationship management.
Business Associate Management Vendors
The complexities of the information security practices necessary for a BA relationship management process—and the consequences of noncompliance—have made the option of outsourcing this function attractive to some organizations. BA relationship management vendors offer services and software to assist organizations in complying with the requirements. Some allow the BA to use the software for their subcontractors. There are also solutions that can help healthcare entities identify the security posture of potential BAs. Cybersecurity metrics such as past breaches, IP reputation, and volume of company information found on the dark web are calculated into a cyber risk score similar to a credit score. Companies currently offer this service and attach a risk score to potential BAs, but each one has its own methodology. Requiring this score from vendors as a prerequisite for consideration as a BA would be one box checked for covered entities.
Looking to HIM for BA Relationship Management
The BA relationship management function must be defined, and ownership of that function must be established. HIM professionals are well positioned to take on this role. The various HIPAA rules that affect BA relationships interweave HIM and IT responsibilities. It is often difficult to separate them. Perhaps the best way to comply with regulations concerning PHI is a truly collaborative approach that allows each discipline to bring their strengths and unique talents to the table to create the best solutions possible. There are a wide range of privacy and security responsibilities in healthcare facilities that may be handled by either discipline or shared between them.
The table “e-HIM Privacy and Security Responsibility Matrix” from Appendix C of the retired Practice Brief “HIM and Health IT: Discovering Common Ground in an Electronic Healthcare Environment,” available online in AHIMA’s Body of Knowledge at http://bok.ahima.org/PdfView?oid=86817, plots approximately 50 privacy and security roles related to EHR systems and notes whether the responsibilities are unique to HIM/IT or shared.4 HIM professionals should seek out and lean into opportunities to become involved in privacy and security, leading and guiding the continued collaboration of HIM and IT roles within their organizations.
1. Office for Civil Rights. Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. Office for Civil Rights. Direct Liability of Business Associates. Content last reviewed May 24, 2019. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
3. Morse, Susan. “Anthem pays $16 million in record HIPAA settlement for data breach.” Healthcare Finance. October 16, 2018. https://www.healthcarefinancenews.com/news/anthem-pays-16-million-record-hipaa-settlement-data-breach.
4. AHIMA. Appendix C in “HIM and Health IT: Discovering Common Ground in an Electronic Healthcare Environment.” Journal of AHIMA 79, no. 11 (2008). http://bok.ahima.org/PdfView?oid=86817.
John Gagnon (email@example.com) is an information security engineer. Cheryl Martin (firstname.lastname@example.org) is HIM strategic advisor at AHIMA.
Continuing Education Quiz
Review quiz questions and take the quiz based on this article online at https://my.ahima.org/store/product?id=66097
- Quiz ID: Q2029101
- Expiration Date: January 1, 2021
- HIM Domain Area: Privacy and Security
- Article: “Business Associate Relationship Management”
Guiding the industry toward the most effective policies and practices to balance the ever-evolving need for appropriate access to protected health information with ensuring the confidentiality, integrity, and security of protected health information