HIPAA Compliance and Vendors: What are the Rules?

No healthcare provider does it all alone. Doctors’ offices and hospitals spend their time taking care of a patient’s physical and mental well-being. While they are busy treating people, there are many companies and people working behind the scenes to keep the healthcare industry running smoothly and efficiently. When HIPAA came into being, covered entities (CE) were busy making sure their own businesses were compliant. Today, just being compliant is not enough. It is the CE’s responsibility to ensure that their business associates are also following the HIPAA rules for security and privacy. Healthcare providers and hospitals are covered entities under HIPAA. Their vendors, referred to as business associates (BA), are those that handle PHI while providing support to a CE. According to the website for Health and Human Services, a BA handles the following functions: “claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.” Services provided by BAs are: “legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.” Basically, if a company works with a CE and handles PHI then they are a BA. Any business doing anything with a patient’s electronic health records (EHR), demographic information, or payment for health care services should be held to the same high level of HIPAA compliance that a practice holds themselves to. According to HIPAA rules, every CE should have a Business Associate Agreement (BAA) with each vendor that falls into the category of a BA. A BAA should include the following:

  • Description of the BA’s “permitted and required uses of protected health information.”
  • Agreement that PHI will not be disclosed or used in any fashion outside of what is “permitted or required by law.”
  • Requirement that approved levels of “safeguards” by in place to prevent a breach of PHI.
  • If a breach occurs violating the BAA, then the CE must be informed and then seek to correct it. If it is not possible to correct the breach, the agreement will be terminated.

When CMS reviewed BAAs in 2009, several problems were discovered. These included no BAA being used; BAAs that were not signed by both parties; failure to address the HIPAA security rule; no request to report “vulnerabilities” to the CE; no request to report any breach of PHI; what activities will be performed and under what conditions; no inclusion that the CE may perform an “audit or risk assessment” and require a “corrective action plan to remediate the findings.” Using a healthcare attorney to ensure that the BAA is thorough and compliant with the standards set by HIPAA is important. Failure to do that may result in omitting important details that protect the practice and providers from mistakes made by vendors. Knowing the vendors you are entrusting with a patient’s medical and personal information are careful and competent is vital. “Good patient care means safe record-keeping practices. Do not forget an EHR represents a unique and valuable human being: it is not just a collection of data that you are safeguarding-it’s a life.”

Sources: The Office of the National Coordinator for Health Information Technology. (n.d.) Privacy and Security Guide. Health IT. retrieved September 6, 2012. from https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources

CMS Office of E-Health Standards and Services . (September 22, 2009) HIPAA Compliance Review Analysis And Summary of Results. US Department of Health and Human Services. retrieved September 6, 2012 from https://www.hhs.gov