Risk analysis for business associates is one of the services offered by Eagle Consulting Partners. Effective March 25, 2013 Business Associates became directly regulated by the HIPAA regulations and are required to comply with the HIPAA regulations. One of the key compliance requirements, and often a good starting point for a Business Associate just beginning their compliance program, is a Security Risk Analysis.
Healthcare cloud technology has come a long way, including hosting of medical imaging, but business associates providing such services need to be in compliance with HIPAA rules.
Who is a Business Associate? There is a complex definition of Business Associate, but typically a Business Associate is a vendor of either a HIPAA Covered Entity, or another HIPAA Business Associate, who uses or manages patient information as part of their work. If the entity “creates, receives, stores or transmits” electronic patient information, they are subject to additional provisions of the HIPAA regulations governing electronic Protected Health Information (the HIPAA Security Rule).
The HHS.gov site offers this example list of who fits the definition of a business associate in healthcare:
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
Research shows inadequate business associate risk preparation is a major concern today. (click to enlarge)
In an infographic drawing on research from HIMSS, Ponemon.org, and ID Experts, 73% of healthcare organizations are concerned or not confident that their business associates are up to speed with risk assessments (right). The same research shows that 87% of business associates have had multiple security incidents in the past two years. So Business Associates can boost the confidence of their customers, help retain clients, and even boost market share with a rigorous HIPAA compliance program.
What’s the cost of non-compliance? The HHS Office of Civil Rights may impose Civil Monetary Penalties (CMP) for violations of HIPAA under a complex 4 tiered system. Under the highest penalty tier, the penalty for a single violation can be as high as $50,000. OCR has used CMPs only twice in enforcement actions. Most of the time, they negotiate settlement agreements. Larger entities (hospitals, hospital systems, insurance companies and national providers) have paid amounts ranging from $500,000 to $4 million. Smaller entities (physician practices, county agencies, other small organizations) have paid amounts ranging from $25,000 to $225,000. There has been only one enforcement case against a Business Associate so far, in the state of Minnesota.
In addition to risk analysis services, Eagle also offers customizable policy templates available for immediate download. Eagle currently offers policy templates specifically designed for two types of business associates: medical cloud computing vendors and technology consultants/VARs/managed services companies. For the myriad of other entities who are Business Associates, Eagle offers custom policy and procedure development in order to create appropriate policies, specifically tailored to the unique requirements of the organization.
