By D’Arcy Gue, VP, Industry Relations, Phoenix Health Systems
Twitter: @DarcyGue
A record number of hospitals — nearly 80% — have signed IT department outsourcing contracts this year, or are looking to do so. A recent Black Book study says most hospital CFOs and CIOs are collaborating with external service providers to resolve bottom line pressures. They have found that outsourcing provides cost-effective access to badly needed software solutions and HIT expertise. But there is a rub. When HIPAA covered entities (CEs) contract with most IT outsourcers they must establish and manage HIPAA business associate relationships with them.
What are the risks of depending on these outsiders? Data security and privacy breaches by business associates have exploded in recent years. For hospitals and other CEs, implementing a risk management program addressing IT outsourcing vendors and other business associates (BAs) has never been more critical. In this post, we’ve put together a list of eight BA risk management essentials.
But first, when is an outsourcing vendor a HIPAA business associate?
The Omnibus HIPAA rule of 2013 expanded the definition of “business associates” to include all vendors that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity, e.g. a hospital or payor. This includes your EHR vendor, other PHI-touching systems vendors, data storage firms, billing outsourcers, consulting firms, clinical service desks and more.
Also — and this is huge — subcontractors of business associates that perform business associate functions are themselves business associates. As a result, the Omnibus Rule requires a chain of compliance starting with the HIPAA-covered entity, through the business associate, and ending with the lowest-tier subcontractor.
Just as covered entities are held responsible for breaches or violations of their business associates, so, “first level” or primary business associates are held responsible for the compliance of their subcontractors. As with covered entities, business associates are now subject to the same penalties for noncompliance. And, as of 2016, business associates are being audited for compliance by the Office of Civil Rights (OCR).
To learn more about the Omnibus HIPAA rule, and its privacy and security requirements, read our complete summary here.
Implementing a Business Associate Risk Management Program
Bringing any IT vendor into your hospital adds significant privacy and security risks. These are greatly compounded if the vendor uses subcontractors that also touch PHI. The complexity of making intelligent outsourcing decisions has risen several notches with Omnibus HIPAA.
Risk management can be divided into two broad stages: due diligence prior to engaging a vendor, and on-going monitoring and reporting. A cautionary note on due diligence: you may have narrowed your choice of vendors to just two or three, but if you haven’t performed a HIPAA risk assessment with finalists, you’re not ready to make a choice. HIPAA requires that you obtain satisfactory assurance of compliance in writing from all of your business associates.
Here are the essentials of a strong risk management program:
- Your chosen vendor should be willing to sign a HIPAA Business Associate (BA) agreement in order to work for you. If it is not willing, you will have to move on to another vendor. Why? Because your hospital, a HIPAA-covered entity, will be held accountable for NOT creating an agreement, especially if it is audited by the Office of Civil Rights (OCR), or is the victim of a breach. In the latter case, you will have to expect financial penalties.
- You should determine the level of access to PHI that the prospective vendor may have in its relationship with your organization. This will provide a foundation for evaluating the severity of risks presented by contracting with the vendor. Minimal exposure or access means minimal risk. The opposite is also true.
- Now comes the heavy lifting part of due diligence: your hospital must conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data, and its ability to prevent breaches and detect them. The following list of assessment factors is not meant to be comprehensive, so you should enlist your organization’s security / privacy officer (who must be well versed on HIPAA) to manage the assessment. As examples, the process should include ascertaining through documentation and first hand observation that the vendor meets the following requirements:
- BAs must have an assigned security / privacy officer. This person must know HIPAA and have the authority to step in and make recommendations to the IT department and senior management when necessary.
- BAs are required to have a documented set of privacy and security policies and procedures, which your organization should review as part of the vendor vetting process. The policies should cover the vendor’s employees, volunteers, contractors, and other members of the BA workforce.
- BAs must maintain an active security / privacy program that aligns with HIPAA requirements, at the very least. The program also should align with your organization’s security program. The BA’s program needs to include ongoing security administration activities to assess, monitor, prevent, and mitigate security threats. It must have established systems for discovery of breaches and a formal response plan in such an event. The BA should be providing annual HIPAA training to its workforce.
- If a prospective BA is contracting with downstream business associates on your hospital’s behalf, it must have BA agreements with them and impose the above data security and applicable privacy requirements on them. Their contracts should include documentation of the upstream BA’s right to terminate the downstream vendor for security or privacy violations. If the BA uses several BA subcontractors, your organization’s review process will either go smoothly if the prime vendor has a well-managed HIPAA compliance program, or it will crumble under the weight of too many unanswered questions by an unprepared vendor.
- The vendor should have adequate physical security protections in place, in addition to systems and process protections. You should assess facility access and other physical security measures implemented by the vendor. Ideally, this assessment should occur onsite, particularly if the vendor is to have significant access to your data.
- You should assess the vendor’s ability to perform in the event of a system or process failure or catastrophe. For example can it show you that it has a current disaster recovery plan? Has it implemented appropriate redundancies to prevent lost data?
- Even if all looks positive in the initial assessment phase, the vendor or a subcontractor may have experienced HIPAA breaches. This doesn’t necessarily present a hard stop in your relationship. Get a report on any HIPAA breaches the vendor or sub-contractor may have caused or been part of, along with subsequent remedial efforts. Assess the potential impact of the breach history on your organization’s reputation. Hopefully, you will find that the vendor’s remedial work is sufficient to justify moving to contract.
- The financial stability of the vendor is significant not only for good business reasons, but also to ensure that it is not vulnerable to failures that could jeopardize data privacy and security. Request appropriate financials.
- Within your contract, you should require the vendor to complete privacy / security assessments annually, to be submitted to your organization.
- Just as your BAs will have created the right to terminate the vendor for security or privacy violations, your BA vendor contracts should include similar plans for terminating the relationship cost-effectively.
- Maintaining and managing your BA vendor inventory is a difficult necessity. Many hospitals do a good job of vendor tracking in their purchasing departments, but their IT leaders are oblivious to such old fashioned record-keeping. BA inventory management, typically the job of the security / privacy officer, includes maintaining up-to-date copies of contracts, service level agreements (SLAs), BA agreements, and follow-up assessments.
- Due diligence is never “done.” The security / privacy officer should regularly monitor all BA vendors’ SLA performance, and their security and privacy-related activities and performance. If you have required your BAs to complete a privacy / security assessment annually, you should expect to receive a documented update each year. The update should include similar reports provided to the BA by its subcontractors. Create a follow-up calendar to make sure your BAs are held accountable.
- This component is obvious, but presents a significant problem for many hospitals: a business associate risk management program can only be effective if your security / privacy officer (and/or others) is held accountable for all of the above. In some hospitals, this HIPAA-required role is often part-time for staff members who have other responsibilities, or it is given low priority. While resource constraints are common especially in smaller hospitals, the fact is that if the compliance officer does not have a mandate to manage the program, it will fail. An outsourced vendor’s performance – or lack thereof – could create reputational and legal consequences for your organization, not to mention data penetration disasters. If you do not monitor your outsourcing vendors’ activity, you could also incur sizable HIPAA penalties and loss of patient confidence.
Data breaches are rampant among business associates today. We recently reported from a Ponemon survey: “87% of BAs have experienced electronic data security incidents in the last two years, in contrast to 65% of healthcare providers and payors. Nearly 60% of all [BA] participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments.” OCR hit the industry with the first ever penalty on a business associate this year, now that it is auditing BAs.
Interestingly, many vendor / business associates still don’t know that HIPAA covers them or what a BA designation means. This is partially because the covered entities they work for have not completed HIPAA due diligence with them. Nor has the department of Health and Human Services aggressively reached out to inform them of their responsibilities.
Our healthcare industry is learning the hard way. Cybercriminals are hammering it because they can. Negligence is way too commonplace, particularly among vendors that have no clue as to their HIPAA responsibilities. Our security and privacy environment is not yet as robust as industries like finance and manufacturing, but we can enhance it greatly just by following the rules. Hospitals and other covered entities must ensure that their internal staffs and their affected vendors understand and are consistently compliant with HIPAA.
This article was originally published on Phoenix Health Systems and is republished here with permission.