How to Reduce Risk When Working with Healthcare Business Associates

As a healthcare provider or organization, your main goal is to provide quality medical care to help patients with their medical needs. Your organization will also require business services from companies to help your operations run efficiently. You may need a CPA to help with your accounting department, a mobile web developer to create an online health portal so patients can keep track of appointments and test results, or a medical transcriptionist to transcribe dictated information into patients’ medical records.

Your healthcare organization must always safeguard patient health information (PHI) under the compliance standards established by the Health Insurance Portability and Accountability Act (HIPAA) or face fines and penalties. What about companies providing services to your organizations?

According to HIPAA standards, any HIPAA-covered entity working with a business associate who has access to patient health information must take security steps to keep the health information protected from the risks of theft or loss. One HIPAA regulation involves the healthcare provider to have a business associate agreement with the third-party company.

What is a Business Associate Agreement?

A business associate agreement (BAA) is a contract between a healthcare organization and a business associate that provides services or products. A business associate is defined as any company or entity working with the healthcare provider who may have access to patient health information. Companies that can be business associates include CPAs, lawyers, consultants, claims administrators, pharmacy benefit managers, IT professionals and a range of other companies. In addition, if a business associate hires a subcontractor to perform work for the healthcare provider or organization, the subcontractor would also be considered as a business associate due their operations coming into contacting or working with patient healthcare information.

The BAA contract provides details regarding the reasons why the business associate must have access to patient health information as well as require the business associate to provide the appropriate safeguards to keep the information secure. In addition, the BAA contract also lists the procedures that the business associate will take if there is a breach in privacy. If the business associate fails to follow these procedures or minimize theft and loss of the patient healthcare information, the contract will require the HIPAA-covered entity to terminate the contract. The health organization must also report any difficulties in contract termination to the Office of Civil Rights (OCR) that is a part of the Department of Health and Human Resources organization.

Any health organization or provider who is a HIPAA-covered entity that doesn’t have a required BAA contract with their business associates can face serious penalties. The federal government can impose civil monetary fines against you and/or levy criminal punishments.

Cybercriminals Targeting Business Associates as Weak Links to PHI Records

For the past several years, news of cyber-attacks has increased significantly. Cybercriminals are using new technologies to penetrate security protections in servers and networks to access personal information and accounts of customers working with businesses. Even the healthcare industry is at risk. In the beginning of 2017, the FBI warned that cybercriminals were attacking unsecured FTP servers in the United States to perform ransomware attacks as the United Kingdom’s National Health Service also found hackers targeting NHS trusts in England, Scotland and Wales.

Unlike other cyber-attacks where criminals steal personal information to perform identity theft, ransomware attacks are viruses that infect vulnerable computer systems to hold the information for blackmail and intimidation purposes.

Many of the issues with the networks and servers operated by healthcare providers are outdated and can be easily compromised by these sophisticated attacks. While healthcare organizations are building up their systems to make them more secure, business associates are now being targeted as the weak link into still accessing the patient healthcare records.

How Healthcare Organizations Can Lessen Security Risks

The best way for healthcare providers and organizations to ensure that patient health information is protected is to perform an evaluation regarding the business associate’s network and server safeguards before signing a BAA contract with them. The HIPAA-covered entity should ask about the procedures and policies that are already in place to protect patient information, and who will have authorized access to such information when providing services and products.

Another way to mitigate risk is to find out if the business associate plans to use subcontractors to provide work and learn about the security protections that will be in place with the subcontractor. In addition, healthcare providers should always ask whether a business associate has a response plan in place in case a security breach is detected and what steps the company will use to limit the negative effects of the breach. The response plan should also provide details on how the company will report breaches to the healthcare organization so you can take steps to evaluate your own security systems to ensure the breach did not affect your healthcare systems.

Find out more about Direct Liability of Business Associates Under HIPAA Rules.

Healthcare Organizations Effectively Mitigate Risks Through IT Assurance Services

Protect your healthcare IT systems to prevent cybercriminals from accessing patient information by having an independent CPA firm provide IT assurance and auditing services. I.S. Partners provides IT solutions to the healthcare industry with a range of assessments.

As certified CPAs, we can perform HIPAA-HITECH audits and attestations to look for vulnerabilities in electronic protected health information systems as well as verify that your protocols and policies follow all HIPAA-HITECH regulations. We also provide HITRUST assessments of business associate’s security requirements to ensure they align with HITRUST-CSF standards if the business associate is seeking HITRUST certification. Learn more about the audits and assessments we can provide to your health organization by contacting us today.

About The Author

Robert Godard

CPA, CISA, HITRUST-CCSFP
Principal

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.