Find Out What Happens When Your Third-Party Vendors are NOT HIPAA Compliant

Required: HIPAA Risk Analysis

Today, I discuss the importance of conducting an enterprise-wide risk analysis to identify vulnerabilities to your ePHI, and then steps to execute the required HIPAA Risk Analysis.

After the passing of the Omnibus Rule, Covered Entities (CEs) are required to have a signed Business Associate Agreements (BAA) with all their Business Associates (BAs). Often BAs outsource their services to subcontractors who are also required to observe the same restrictions on the use and disclosure of electronic protected health information (ePHI).

3 Steps Ever Business Associates Should Do!

  1. Appoint your Security Official – This person will be responsible for ensuring that the activities necessary to secure ePHI are carried out.
  2. Conduct your HIPAA Risk Analysis to identify your Administrative, Physical and Technical Safeguards.
  3. After identifying your risks begin to develop policies and procedures for your security management program based on findings from the HIPAA Risk Analysis.

BAs and subcontractors of ALL sizes or complexities MUST conduct and document a comprehensive HIPAA Risk Analysis of their computer and other information systems used to create, receive, maintain, or transmit ePHI to identify potential risks and respond accordingly; 45 CFR § 164.308(a)(1).

Yes, this means you too solo practitioner & solo BA!

What Happens When the BA is NOT Compliant?

North Memorial Health Care was required to pay $1.55 Million in HIPAA penalties based on an investigation of the unencrypted stolen laptop from one of its BAs, Accretive Health. OCR’s Resolution Agreement states:

  • • North Memorial began providing Accretive with access to North Memorial’s PHI on March 21, 2011, and did not enter into a written BAA with Accretive until October 14, 2011. See 45 C.F.R. § 164.308(b) and 45 C.F.R § 164.502(e).
  • • From March 21, 2011 to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to Accretive when North Memorial provided Accretive with access to PHI without obtaining Accretive’s satisfactory assurances, in the form of a written BAA, that Accretive would appropriately safeguard the PHI. See 45 C.F.R. § 164.502(a).
  • • North Memorial failed to conduct an accurate and thorough risk analysis that incorporated all of North Memorial’s information technology equipment, applications, and data systems using electronic PHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A).

A BA can be held directly liable and subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI that were not authorized.

Establishing and maintaining an effective information security program is not only a regulatory requirement, but also a critical activity for the protection of your patients’ information.

Business Associates it is your responsibility to have a complete risk analysis conducted!

For tips like this and more request your copy of the “HIPAA Security Rule – Know The Rules!” Newsletter Today AND to learn more about our FREE monthly webinar.