Have You Done It?
That’s right; I asked you “Have You Done It?”
Done what you ask?
Executed a Business Associates Due Diligence (BADD) review for each of your Business Associates (BAs).
Why does it matter?
Because What You DON’T Know CAN Hurt YOUR Patients and Your Business!!
What Happens When You Don’t Perform A BADD Review?
Advanced Care Hospitalists (ACH), a contractor physician group in West Florida, found this out the hard way after a BA of theirs had a healthcare data breach in 2014.
Here is a brief description of what happened:
ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, BUT according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice.
I would say this was a costly lesson for ACH!!
As you know, when the U.S. Department of Health and Human Services (HHS) comes calling they keep looking!!
After everything was said and done ACH agreed to pay $500,000 to HHS …
Implement a robust 2-year Corrective Action Plan (CAP) to correct ALL HIPAA compliance failures.
Now I ask you, wouldn’t it be better to implement and perform your BADD review before this happens!?
Do You Know What Your BAs Are Doing?
Many Covered Entities (CEs) don’t know the specifics of how their BAs operate or what information they are accessing or being aware of the technology they use. Administrative workforce personnel is often responsible for managing Business Associate Agreements (BAAs) without having an understanding of HIPAA or the potential impact, to both your financial well-being and reputation, of a violation to the CE and BAs.
In a perfect world, you could depend on your BAs to understand and follow the HIPAA regulations when handling Protected Health Information (PHI). You could trust them to comply with the regulations and perform enterprise-wide risk analysis in order to better understand their deficiency. But, as this case clearly points out, we don’t live in a perfect world!!
Instead, CEs must obtain satisfactory assurances from all their BAs that they appropriately implement HIPAA security measures and are maintaining compliance. One way to accomplish this is to perform a BADD Review.
The purpose of sharing this story with you is not to point fingers or attach blame. It is to bring awareness of what has happened. That is why HHS shares the lessons learned from each settlement agreement with the public.
Start By Performing a Review of All BAs
Start by verifying who is and who is NOT a BA (include BA subcontractors). Then evaluate each relationship based on the unique set of risks each brings to your organization.
After you’ve identified all your BAs it is imperative that you:
- • Understand how their BAs are accessing PHI
- • Identify who within the BA’s organization is accessing PHI and should they be accessing it
Why is it important to identify all your BAs?
Because, how can you manage what you don’t know!!
I’ve included a few steps to help as you begin managing your BA relationships:
- Verify you have a current signed BAA for each BA who creates, receives, maintains, stores and/or transmits PHI
- a) Identify the number of BAAs that exist across your organization
- b) Identify where BAAs are located
- c) Document the terms of each BAA
- Identify what systems, software and hardware, they are accessing and where your PHI will be stored (e.g., PHI be offshored at ANY time)
- Identify Breach Notification Time
- Do you know the Breach Notification Time for each of your BAs?
Here is why you should!!
I shared WHY you need to perform your own BADD review and the impact of what happened to ACH.
If ACH performed a BADD review on their BA before exchanging any PHI they could have saved themselves a whole lot of sleepless nights, financial expense and loss of revenue.
But in case you need more convincing in 2019, in 2018 there were 76 BA healthcare data breaches that affected 5,730,242 patients, were added to the Health and Human Services (HHS) “Wall of Shame.” And, three of those organizations made the list TWICE!!
This only scratches the surface on how CEs need to understand and manage their relationships with their BAs.
Covered Entities and Business Associates need to understand that patients are entrusting YOU with their most private and intimate details and they expect it to remain secure!
After all, it is YOUR practice, YOUR patient’s trust, YOUR reputation and YOUR legacy!
Why are you leaving yourself wide open to these risks?
Performing your Business Associate Due Diligence will help your organization understand the risks and requirements detailed within your BAs.
Now I ask you …
- • Have YOU done YOUR Business Associates Due Diligence?
- • When was your last annual BA Risk Analysis performed?