The risks of business associates and HIPAA compliance
In May 2019, the American Medical Collection Agency (AMCA), a "business associate" of a number of healthcare providers, reported an eight-month data breach had exposed sensitive information for more than 20 million patients. The event brought into sharp focus the risks facing healthcare providers who depend on outside vendors for support services. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers— also referred to as "covered entities"— can share protected health care information with vendors and business associates. Business associates can be anything from claims processors, bill collectors, and accounting firms to consultants, attorneys, claims clearinghouses, and medical transcriptionists. While third-party vendors can offer more operation-critical services, they do require remote access to your network and sensitive data. However, those businesses must agree to use the information to do only what they were hired to do with it, to safeguard the information from misuse, and to help the healthcare provider comply with legal obligations for privacy. Those obligations under rules mandated by HIPAA include limiting access to protected health information to what's necessary to satisfy a purpose or function and prohibits a healthcare provider from using or disclosing that information unless authorized by patients.
Vendor relationships involving HIPAA
Before any protected healthcare data can be shared with a vendor or business associate, the provider must obtain in writing, either through a contract or other agreement, assurances from the third party that it will safeguard the information. This is known as a “Business Associate Agreement” (BAA), in HIPAA parlance. In addition to any requirements in the agreement between the healthcare provider and the business associate, the business associate must comply with federal security rules. Business associates also need to be aware of federal, state and local privacy laws that impose tougher restrictions on protected health information than HIPAA. In those cases, it's best to comply with the more restrictive requirements. Failing to do so risks fines and penalties from those regulatory bodies. If a business associate violates its agreement with a healthcare provider or fails to comply with its obligations under federal law, the contracting healthcare provider can be found to be in violation of HIPAA, along with their vendor. Even though BAAs are required, an agreement alone doesn't let a healthcare provider off the hook for violations of a business associate. HIPAA requires a provider to do "technical due diligence" before sharing protected health information with an associate. Technical due diligence means the provider has questioned the associate to make sure the appropriate safeguards and policies are in place to protect any sensitive data shared with them. When it comes to due diligence, documentation is very important. Unless a provider can document their diligence, then they might as well have not done any at all. Monitoring is also crucial. An annual risk assessment should be conducted of business associates to make sure they're properly safeguarding the personal health information they receive. If a data breach occurs at an associate and that associate hasn't been monitored regularly, then the provider runs the risk of failing the due diligence requirement.
Violations of HIPAA privacy and security requirements can be quite costly to a healthcare provider, depending on the circumstances of the violation. There are four tiers of fines:
- Tier One: where an offender was unaware they were violating HIPAA, $100 to $50,000 per violation, capped at $25,000 per year a violation persists.
- Tier Two: where a violation is due to reasonable cause without willful neglect, $1,000 to $50,000 per violation, capped at $100,000 a year.
- Tier Three: where there's willful neglect but an organization fixes the violation, $10,000 per violation, capped $100,000 per calendar year.
- Tier Four: where there's willful neglect and a violation remains uncorrected, $50,000 per violation, capped at $1.5 million per calendar year.
Also, be aware of willful violations that involve malicious intent or for personal gain, one can get up to ten years in jail and up to a $250,000 fine per individual. That’s real money and a hard time! Healthcare providers who want to avoid those fines will make sure to do their technical due diligence and monitor the behavior of their business associates, as well as keep their own systems in compliance with HIPAA requirements. If you're in the healthcare industry and have vendors, if they're not compliant, then neither are you. Download our HIPAA checklist to make sure you're compliant with all mandates in terms of vendor remote access and HIPAA.