- Home
- » e-Newsletters
Prioritize, document, and repeat to ensure BA compliance
HIPAA Training Advisor, December 15, 2005
Prioritize, document, and repeat to ensure BA compliance
When you initiate or reexamine your relationship with a business associate (BA), keep in mind that its processes to secure PHI can affect your reputation, accreditation, and compliance status.
HIPAA does not require that you micromanage each BA, but instead requires you to take "reasonable steps" to avoid and mitigate breaches. These will vary from one BA to the next and from one covered entity (CE) to the next.
"BAs could be anyone from a large organization to a mom-and-pop organization," says John Ecken, CISSP, MCDBA, MCSE, MCSD, OCP, DBA, WCSP, founder of Computer Solutions & Support, LLC, in Louisville, KY. CEs have different resources to work with as well, so custom fit your handling of a BA to the situation.
"Just because one covered entity is doing it doesn't mean that's exactly the way you should do it, because everyone's different," says Rick Ensenbach, CISSP-ISSMP, CISA, CISM, senior security consultant for Shavlik Technologies in Roseville, MN.
Know where to focus your security efforts
To make sure your security measures are reasonable, direct the most resources to the BAs that you determine are high risk.
"The level of security should coincide with the type of information going out," Ecken says. If you prefer taking a blanket approach to BAs, err on the side of caution and assume that every bit of information is highly sensitive. Ecken and Ensenbach recommend taking into account the following when prioritizing BAs:
- Data sensitivity. For example, pay more attention to BAs that handle the results of AIDS tests than those given information regarding patient weight and body mass, Ecken says.
- Amount and timing of data access. If the BA only handles small amounts of PHI sporadically, there's much less risk than if it handles significant amounts of PHI all the time, Ensenbach says.
- People involved. For example, a celebrity's PHI will be more desirable to outsiders than a regular patient's and therefore more of a risk.
- Status of data. Determine whether the data are PHI. If the information is deidentified, don't make it as high a priority.
- BA's past history. If you have a good relationship with the BA, concentrate more on BAs with rockier security pasts. When you approach a BA for the first time, be sure to contact its references and ask about security history.
Obtain the appropriate documentation
Once you determine where to direct your attention, ask the BA for any documentation it has on security. This documentation should assure you that the BA
- has the appropriate security policies and procedures
- performs periodic security evaluations
- has assigned someone responsibility for its security program
- educates employees about how to handle PHI
- has a disaster recovery plan
"It could be a general statement on a compliance letter that says, 'We are properly protecting your information in accordance with the HIPAA security rule,' " says Ensenbach. However, for higher-priority BAs, insist on more than a letter.
In these situations, consider other types of security documentation, such as a third-party security assessment, an on-site inspection, or a tailored questionnaire that you provide to the BA. These will involve more work on your part and should only be done when the situation warrants it, Ecken says.
Build a strong BA agreement
Sign a BA agreement only after obtaining this assurance, Ensenbach says. While you should leave room to tailor an agreement to specific needs, all BA agreements should contain
- the purpose of the BA's data access
- your expectations about how the BA will protect your data from unauthorized access
- a definition of a security breach and the steps the BA should take in the event of one
- a process for periodically evaluating the BA's security risk
- a procedure for destroying or returning the data at the end of your relationship with the BA
Reevaluate BA relationships over time
To make sure your data remain secure, continuously monitor the BA's security risk. Again, the extent of this monitoring depends on your organization's size and manpower and the number of BAs you have. An organization with only a handful of BAs can afford to be more stringent because it has more time to devote to each BA, Ensenbach says. If you have many BAs, concentrate your efforts on a risky few, but obtain documentation from all. Annually go through the process again to identify your biggest BA risks and priorities.
Editor's note: Adapted from "Prioritize, document, and repeat to ensure BA compliance" Briefings on HIPAA, December 2005.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Capturing all necessary codes for IUD insertion and removal can be challenging
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- HIPAA Q&A: Level of encryption needed for email
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- HIPAA Q&A: Level of encryption needed for email
- Searched