Articles & E-Books

 

HIPAA business associates: How healthcare providers manage the risk

Feb 11, 2022

Breaches exposed more than 45 million patient records in 2021, the largest total since 2015. Meanwhile, cybercriminals are shifting their attention to business associates as a way to get in the door, according to a report from Critical Insight.

Business associate attacks increased by 18% last year. This suggests cybercriminals are adopting new strategies to obtain protected health information (PHI). Last year, attacks on third party vendors exposed more records per breach, compared to other attacks, accounting for 23.5% of total affected records.

For healthcare organizations, it’s a reminder that business associates pose additional risk to PHI — risk that needs to be managed. Cybercriminals are using ransomware, credential harvesting, phishing tactics and stolen devices to obtain and monetize PHI. Healthcare organizations need to remain vigilant in terms of their own cybersecurity measures as well as those of their third-party vendors.

HIPAA liability for business associates

While the U.S. Office for Civil Rights (OCR) is levying penalties against business associates, they’re holding covered entities accountable, too. In 2020, for example, an orthopedic clinic agreed to a $1.5 million settlement after hackers used a vendor’s credentials to access PHI. Systemic failures cited in the settlement included the clinic’s lack of business associate agreements with multiple vendors.

OCR guidance has clarified that business associates are liable whether or not they have an agreement in place with the covered entity. What’s more, business associate liability flows downstream to include subcontractors. Therefore, each downstream contract must be as stringent as the one above it. 

Translated, that means there’s a chain of compliance that starts with the covered entity and ends with the very last subcontractor in the chain.

Managing business associate risk

Business associates play an integral role within every health care organization. Their valuable assistance can range from straightforward housekeeping services to very complex and integrated services, such as supporting electronic medical records. 

But how do you know whether your business associates are taking the proper precautions to safeguard your patients’ PHI? A signed agreement is no assurance. Covered entities need to perform a risk analysis that helps them determine whether engaging in or continuing to do business with a business associate is too risky and therefore not acceptable.

Vetting must apply to both new business associates as well as existing relationships. It’s not uncommon to have longstanding vendor relationships that may not have previously undergone rigorous scrutiny. It’s also not uncommon for regulators to ask, “What did you do to ensure that your business associates are properly protecting PHI?”

HIPAA business associate compliance checklist

Don’t gamble with an underdeveloped vendor management program. Take action now to strengthen your risk posture, throughout the chain of compliance:

  1. Identify your organization’s third-party organizations
  2. Categorize third-party relationships according to risk
  3. Obtain satisfactory assurances that third-party organizations have the appropriate security/privacy controls in place
  4. Set expectations with third-party organizations
  5. Continuously monitor and reassess

Review the following checklist for common expectations to establish with your vendors:

  • Current HIPAA business associate agreements, service level agreements and master service agreements in place
  • Vendor maintains business associate agreements with any downstream vendors that access/handle PHI on your organizations’ behalf
  • Vendor maintains a security/privacy program
  • Vendor has a security officer with knowledge of HIPAA
  • Vendor provides ongoing HIPAA training to its employees
  • Vendor has a formal response plan in the event a breach is detected
  • Vendor has adequate physical protections in place
  • Vendor has an adequate disaster recovery plan
  • Vendor conducts annual risk assessments and reports to you annually

Healthcare organizations need the discipline and rigor to manage business associate risk on an ongoing basis. This includes managing your business associate inventory, maintaining current contracts, conducting third-party risk assessments and holding your business associates accountable for the expectations outlined above.

Wipfli helps covered entities and business associates manage HIPAA compliance

Accept that not all third-party relationships are alike. If exposure is high, or your own internal resources are stretched, it may make sense to leverage outside help to assess third-party risk.

A growing number of healthcare organizations are requiring their business associates to obtain HITRUST Certification as a means of demonstrating effective security and privacy practices aligned with the requirements of the health industry.

If such a requirement is not a good fit for you or your vendors, Wipfli can assist with alternate tools to manage risk and compliance, including our HIPAA security risk assessment. For information on vendor management and other HIPAA regulations, click here.

Sign up to receive additional risk management content and information in your inbox, or continue reading on:

Author(s)

Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP
Director, Risk Advisory Services
View Profile