The bar has been raised on how covered entities manage Business Associates (BAs); the HITECH Act breach notification requirements, penalties for electronic protected health information (ePHI) disclosure, and the expectation that Business Associates be compliant with the HIPAA Security Rule mean that covered entities need to ensure proper due-diligence when managing BAs.
In a perfect world, you could do your own security evaluation of each BA or even hire a company like Redspin to perform a HIPAA Risk Analysis to determine the extent that ePHI is at risk. Of course, it’s not a perfect world. Covered entities have too many vendors and the resources are too thin – whether it be people to perform security audits, budgets, expertise or time. Fortunately, there is a systematic way to cost-effectively reduce risk.
We recommend approaching BA risk management as a microcosm of your enterprise-wide information security program in which a risk assessment is used to identify risk so that limited resources can be focused on mitigating the areas of highest potential risk. We call this portfolio risk analysis and it applies general information security management principals to manageable sub-sets of your IT infrastructure. This same approach works with BAs. The idea is that if a covered entity can prioritize which BAs represent the most ePHI security risk, then the top risk BAs can get the attention they need. While each situation is unique, we’ve been counseling our clients to:
- Ensure they have a list of all BAs that have access to ePHI
- Define a set of easily attainable attributes that can be used to measure the risk (for example, the number of records the BA stores, transmits or has access to)
- Prioritize the list based on risk, highest risk at the top, using the attributes in the step above
- For any BA that shows high or medium level risk, perform a quick security evaluation – download our Business Associate Security Questionnaire which will help evaluate BA security risk and HIPAA Security Rule compliance
- Based on the outcome of Step 4, consider performing, reviewing, or requiring the BA to perform, an objective HIPAA Risk Analysis to determine and mitigate BA ePHI disclosure risk
In this way, covered entities can sort through their BAs, and in a cost-effective manner, focus efforts on those BAs that represent the most risk.