In our last discussion, we talked about being audit-ready and how having our program well-defined, well-documented and organized was important to setting the right tone for the audit. So let’s take a look at one aspect of our program and talk about what that means, and let’s look at an important aspect of the business that represents a considerable risk for many covered entities today -- management of business associates.
Business associates provide many important services that support the business of the covered entity. These services include transcription, claim processing, laboratory tests, radiology, system administration, data hosting, etc., and they make it possible for small organizations in particular to offer full-service support to patients. Such services can require us to permit access to critical systems that hold patient information, or, in some cases, transfer patient data to a third party for processing and retention. When we engage with these business associates, we need to ensure that sound practices are in place for managing the risk involved.
The Office for Civil Rights (OCR) in its new audit program has identified business associate relationships as an important focus area suggesting that covered entities should adopt a life cycle approach to data security when managing vendors with access to patient data. Important elements to manage include:
- defining minimal necessary,
- due diligence during selection,
- documenting security requirements in contractual agreements,
- monitoring vendor performance,
- planning for joint breach notification requirements and
- providing clear direction for disposition of patient data upon contract termination.
Let’s take a look at each of these and what is expected.
Minimal necessary. An important facet of reducing risk is limiting access to patient information to only that which is necessary to accomplish the function. This means that covered entities should consider what level of access business associates should be given to systems with patient information, whether transfer of patient data is required and exactly how much, and what restrictions should be in place for retention and further dissemination. Establishing minimal necessary is critical to defining other controls.
Vendor selection. Covered entities should seek to understand if the vendors they are considering are qualified and capable of protecting patient information. This is accomplished by requesting documented evidence of their security readiness. This can be proof of independent third party security assessment, SAS-70 or SAES-16 reports, and review of documented policies and procedures. Vendors who cannot provide such documentation should be eliminated from consideration.
Contracting. The relationship between covered entity and business associate is defined by the contract between them and its stated provisions. Minimally, covered entities should provide an appropriate business associate agreement as required by HIPAA. Additionally, minimal security requirements should be spelled out. Defining expectations is essential to establishing the right direction for the relationship and could be critical should an incident or non-compliance occur.
Monitoring performance. Contractual relationships can last multiple years, so it’s important to ensure that the performance of your business associates meets your expectations throughout the duration of the contract. Things can change over time with business associates in their computing environment, their physical location, employees or other business partners. Establishing a requirement for business associates to provide an annual update of their status, notification of material changes, plans to engage subcontractors, and monitoring their access, etc., can avoid surprises.
Breach notification. The HITECH Act established formal requirements for breach notification and created a shared responsibility between covered entities and business associates. However that responsibility for business associates only requires they notify the covered entity if a breach occurs. To reduce liability, covered entities need to address all aspects of breach notification with their business associates to include notification, investigation, risk assessment, response and indemnification of costs.
Contract termination. Covered entities must plan for the eventual end of their contracts with their business associates, which means conveying instruction for terminating business associate access and final disposition of patient information. Will the business associate be required to return the information it has maintained or document its destruction? Documenting these final disposition instructions is important to reducing the risk.
Business associates help complete the care team and provide critical services that enhance and support, but they also represent a component of risk to patient information that requires appropriate attention. While the risk of breach is shared, it is the covered entity that shoulders the brunt of any incident. Early due diligence, clear communication of expectations and regular reviews can reduce the risk of third-party vendors. These actions will also ensure that you are ready for a compliance audit if selected.