All Blogs

Protect Yourself From Vendor HIPAA Breaches, or Pay the Price


Posted Jul 6, 2017
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

Protect Yourself From Vendor HIPAA Breaches, or Pay the Price

Posted July 6, 2017
Share: Share on Facebook Share on Twitter Share on LinkedIn
HIPAA Breaches

Just because you’re taking care of your obligations under the Health Insurance Portability and Accountability Act (HIPAA), doesn’t mean that the vendors you work with are doing the same.

So why should you care? Because if your vendors access your patients’ confidential information through your working relationship and have a breach of that data, you are responsible — and can end up paying serious penalties and fines.

HIPAA calls these vendors “Business Associates” (BAs). BAs have the same HIPAA liability as you do. This means that they have direct responsibility to comply with HIPAA and its associated rules and regulations.

BAs include any vendor or independent contractor with which you share patient protected health information (PHI), (i.e. billing company, EHR vendor, consultant, etc.). They also include those vendors that gain access to this data — even if you didn’t expressly give it to them (i.e. cleaning companies, IT professionals, etc.).

In addition, BA subcontractors have the same direct HIPAA liability and responsibilities as you and your direct BAs. If a BA’s subcontractor inappropriately releases your patients’ PHI, it must report this event to all parties involved and comply with HIPAA breach guidelines.

Essentially, all entities in the contractor chain have BA obligations. Every subcontractor has a responsibility to fulfill the same requirements as the top-level BA vendor. For instance, a cloud service provider that has been hired to store or maintain PHI would be a subcontractor.

So how can you protect yourself from the fines and penalties associated with a BA or subcontractor breach of your patients’ data? The answer is a solid Business Associate Agreement (BAA). Your BAA should clearly spell out each party’s responsibilities if a breach occurs. Also, you should get a list of subcontractors from each of your BAs and a copy of the BAA that they have on file with each one. Also, you should regularly audit their performance and ability to comply to ensure your patients’ protection.

Here are few key points that should be included in your BAA:

  • Spell out PHI use and disclosure
  • PHI releases to government, patient and/or covered entity upon request
  • Breach notification
  • Reasonable effort and Minimum Necessary rule compliance
  • Need for BAAs with subcontractors
  • Meet all Security Rule requirements

If a breach occurs due to your BA or one of their subcontractors, having a BAA in place won’t solve all of your problems. Although you may not be responsible for the inappropriate data release, your patients won’t see it that way. Consequently, you should ensure that your BAs observe all compliance regulations. And if a breach does occur, be proactive and comply with HIPAA’s notification guidelines, which you can find at https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?language=es.

Take Aways:

  • Spell out each BAs’ responsibilities in your BAAs to thoroughly document your relationship.
  • Make sure to review your BAAs to ensure they reflect all vendor and contractor requirements to protect patient PHI.
  • BA subcontractors are just as liable under HIPAA as you are.