To all of you in healthcare (and anyone who goes to the dentist, has ever had an unexpected stay in the ER, or has had to get some physical therapy for that injury from way back when that somehow seems to creep back into painful existence time and time again), I’m sure you’re concerned with making sure your treatment works and that you or your patients are getting the highest quality of care.
Part of keeping doctors focused on what they do best? That’s where business associates have helped healthcare organizations immensely.
But who the heck are business associates?
Technically speaking, a business associate is anyone that performs functions or activities that use or disclose protected health information. That means anyone who processes any patient data (even names, dates, facility names, etc.) should be considered a business associate.
How many business associates does your office have?
If you’re like many offices, you probably cannot simply count your business associates on one hand. Think about all of the services vendors might provide for you. Your EHR platform? Cloud storage? Do you use any lab facilities? What about medical billing? The list goes on, but I want to make clear that business associates are all over the place—and in most network security assessments, we are not seeing proper documentation around all of the organizations that interface with your practice or facility.
Why should you care about your business associates?
The Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) is starting to crack down on facilities that do not properly have business associate agreements with those companies and organizations that use, process or touch any form of protected health information. In fact, there have been recent cases that have led to fines in the ten’s to hundreds of thousands of dollars. In fact, here in Philadelphia the Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently settled for a $650,000 fine for not having appropriate business associate agreements in place with other organizations touching their patient data. Essentially, OCR is holding your facility responsible for what your business associates are doing with your data. If you do not have updated business associate agreements with them, then you will most certainly be on the hook for any data breach or attack affecting the privacy and integrity of that information.
What is in a business associate agreement (BAA)?
BAAs are contracts that tell business associates how they need to disclose and safeguard your facility’s protected health information. At minimum, your business associate agreements should have the following:
The bottom line…
You really should evaluate who is working with you, how they are handling your data and have means to evaluate whether they are actually keeping your patients’ data secure. At minimum make sure you have all of your business associate agreements up to date. You may also want to require those associates to have their network evaluated with a network security assessment to make sure all of their ducks are in a row.
Leave a Comment
Your email address will not be published. Required fields are marked *