Written by Amanda C. McGrath, Privacy Consultant at CynergisTek, Inc.

HIPAA covered entities face numerous challenges in managing business partner relationships. Entities must identify every vendor, contractor or supplier that will handle or have access to protected health information. In addition, these relationships require negotiation and execution of a HIPAA compliant Business Associate Agreement (BAA). Healthcare organizations recognize that assuring the confidentiality, integrity and availability of their PHI means having a vendor management program in place to monitor and enforce the promises their contractors and vendors make in their Business Associate Agreements to safeguard data.

The modifications to the HIPAA Privacy and Security Rules, enacted in 2013, expand the definition of business associates. Under the revised rules, “business associate” now includes any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity or their business associate or any entity that provides services to or for the covered entity involving the use or disclosure of PHI. This means that all downstream subcontractors that create, receive, maintain or transmit PHI on behalf of a business associate now meet the definition of business associate. Another major change is that business associates are now directly liable for certain Privacy and Security Rule violations. Prior to the new rule, business associates had only contractual liability to their covered entity but no direct liability to OCR for HIPAA violations.

In addition to broadening the definition of who is a business associate and imposing direct liability for compliance with the Security Rule and certain provisions of the Privacy Rule, covered entities must update their BAAs to comply with the new HIPAA requirements. BAAs must provide that the business associate will (1) comply with HIPAA Security Rule, (2) report breaches of unsecured PHI to the covered entity, and (3) enter into BAAs with subcontractors in the same manner that the covered entity contracts with the business associate.

The rules changing the required provisions of the BAA took effect in 2013 for those agreements created or modified after the Omnibus Rule’s publication in January 2013. HHS used its enforcement discretion to give covered entities more time to revise the BAAs that were already in place, but the extended compliance deadline to update those BAAs by September 23, 2014 is quickly approaching.

To address these regulatory changes and manage the inherent challenges and complexities of a web of business associate relationships, diligent vendor management has become a crucial component of a healthcare organization’s privacy and security compliance program.

What can a covered entity do to strengthen their vendor management program?

One of the best ways a covered entity can increase security in their vendor relationships is to be selective and vigilant in choosing third-party vendors when embarking on new business associate relationships. Careful vetting during the vendor selection process is a great way to obtain assurances that a business associate is protecting the confidentiality, integrity and availability of PHI. To start the vetting process, a covered entity can require prospective vendors to complete an information security questionnaire. Obtaining this information will enable the covered entity to assess the maturity of the vendor’s information security program. The covered entity should also request to review the organization’s risk assessment policies and the most recent risk assessment documentation. Undertaking this review prior to contracting with a vendor gives the covered entity a picture of where there may be gaps and compliance issues and ultimately helps the covered entity evaluate whether the vendor is a suitable candidate to become a contracted business associate.

Effective vendor management also requires a covered entity to build a strong BAA in both new and existing business associate relationships. First, a strong BAA should keep the business associate accountable in the event of a breach. This can be achieved by having an incident management plan in place that sets forth the duties of the parties in the event of a breach, requiring a tighter schedule for breach notification to 24-48 hours after becoming aware of the incident, and by requesting indemnification provisions to cover costs of breach notification. A few other suggestions a covered entity should consider is to require the reserved right to request third-party assessments and a predetermined plan for handling PHI when the business relationship terminates.

CynergisTek recommends that covered entities actively evaluate and audit business associates’ security to ensure compliance during the life of the engagement. Some suggestions include sending out a periodic questionnaire prompting questions such as ‘When was the date of your last risk assessment?’  ‘When were your privacy and security policies last updated?’ ‘What was the date of your last workforce education specific to HIPAA compliance?’. covered entities should also periodically request documentation to ensure that the business associate’s risk assessment is current and request documentation showing the completion of business associate duties such as data backup confirmations, data destruction certificates, etc.

To help track and manage these activities, CynergisTek recommends creating a third-party vendor inventory. The inventory should identify the parties, nature of the engagements, sensitivity of the PHI the vendor manages, and schedules for audits and evaluations. Various tools are available on the market to assist covered entities with this task. Discover how CynergisTek’s Vendor Security Management program can address these important measures, strengthen business associate management and demonstrate due diligence.

Disclaimer: This article is intended for general information purposes only. It does not constitute legal advice. The reader should consult direct sources or knowledgeable legal counsel to determine how applicable laws apply to specific facts and situations.