So far this year, business associate breaches account for roughly 12 percent of the total breaches reported to the Office of Civil Rights (OCR), or 27 of the 233 reported breaches as of September 19. That means those affected covered entities could have been doing nearly everything right, but they still paid the price for the behavior of their vendors. And these are just the breaches that were reported. It's anyone's guess what the total count actually is, let alone the vendors who experienced a breach and never reported it to their covered entity clients.
What does this mean to a covered entity? It means that it’s not enough to require a signed Business Associate Agreement (BAA). Vendors should be diligently vetted. Here's what you should be doing:
- Make sure your vendor has completed a Security Risk Assessment. Ideally, this has been done within the past year. Ask for a copy for your records. Upon receipt, review the report. Does it specify it was conducted in accordance with HIPAA requirements? Does it include a breakdown of vendor deficiencies along with a remediation checklist and timeline? Can the vendor document that they are adhering to this remediation plan?
- What workforce vetting practices are utilized by your vendor? A BAA won't prevent an unscrupulous employee of your vendor from stealing your data, most often for financial gain. The BAA may reduce your liability, but you'll still be implementing your Incident Response Plan and doing damage control on your reputation.
- What protocols do they document regarding how they handle their access, management, and storage of your Protected Health Information (PHI)? For example, it’s not enough to accept their verbal assurances that they use encryption. Get it in writing, especially if you are using a generic BAA that doesn't narrowly define the scope of your vendor's provided services.
- Don't buy the fancy stories. We are frequently amazed at the cleverness and inventiveness of the stories vendors come up with of why they're not required to sign a BAA. We understand why they don't want to consider themselves under the purview of the HIPAA laws, but if they act like a BA and do business like a BA, guess what? They're a BA. If you hear a negative story from or about your vendor, choose another vendor without delay. This includes a number of companies who are essentially household names. Company size or brand awareness doesn't mean they're following HIPAA requirements.
Finally, more and more hospitals and large healthcare organizations are tightening the scrutiny of their vendors. Numerous vendors have been replaced in the past few years by these institutions specifically because of their practices relating to HIPAA. We recommend that you follow suit. If you're working with a vendor that won't meet your security requirements, find another one. Put yourself in your vendor's shoes. If you're a vendor in the healthcare space and you haven't made HIPAA compliance and security a priority, you have no business being in healthcare. Don't enable companies who aren't willing to match or exceed your commitment to protecting your patient's data.
Be safe. Click smart.
Jeff Mongelli is CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services. If you have any questions about this article or would like recommendations, please contact him for a free consultation at 800-970-0402 or jeffm@acentec.com.