On January 25, 2013, the Department of Health and Human Services (HHS) issued the HIPAA Omnibus Final Rule to modify HIPAA Privacy, Security, and Enforcement Rule pursuant to the HITECH Act, extending certain provisions of the HIPAA Privacy Rule and adoption of the Security Rule to Business Associates (BAs) – including subcontractors who qualify as BAs.
Chief among the HIPAA privacy and security requirements of BAs and subcontractors is a required risk analysis to assess potential risks and vulnerabilities to Protected Health Information (PHI):
§ 164.308 Administrative safeguards. (a) A covered entity or business associate must, in accordance with §164.306: (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Moreover, HIPAA rules require that covered entities (and BAs, in the case of their subcontractors) enter into BA contracts to ensure that the BAs or subcontractors will appropriately safeguard PHI. The BA contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the BA or subcontractor, based on the relationship between the parties and the activities or services being performed:
(a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract must provide that the business associate will—
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and
(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.
As a result, in order for BAs and/or subcontractors to ensure a successful risk assessment, several key factors must be considered by the assessment team; for example, consideration must be given to provisions within each separate BA contract. An assessment team should consider the following key factors when examining BA and/or subcontractor agreements as a part of a risk assessment:
- Privacy: Assessment team must be aware that privacy rule requirements are often a part of every BA agreement
- Security: Assessment team must be aware that all security rule requirements are required, whether or not they are found within the BA contract.
- Data breach: Assessment team must be aware that all data breach requirements are required, whether or not they are found within the BA contract.
Business Associate Contract Inventory
- Identifying specific provisions: Assessment team must make an accounting of all BA contracts to identify and catalog HIPAA requirements.
- Accounting for compliance: Assessment team must account for all BA contract terms, signatories and effective dates.
- Tracking changes: Assessment team must account for all BA contract changes to terms and HIPAA responsibilities.
- Revising: Assessment team should seek guidance on contract review if revisions and/or legal advice are needed.
Policies and Procedures, Implementation and Training
- Associating HIPAA standards with BA requirements: Assessment team must be aware that each HIPAA provision found within the contract must have an associated policy and procedure, and must act on implementation and.
- Version control: Assessment team must account for document revision dates for policies and procedures, implementation and training.
- Policies and procedures: Assessment team must account for documentation of all current policies and procedures and be aware of 6-year archive requirement of former policies and procedures.
- Remediation: Assessment team must account for documentation of the assessment remediation plan.
- Training: Assessment team must account for HIPAA training materials and log of trained workforce members.
- Assessment: Assessment team must document the risk assessment.
Assessment teams should keep in mind the significance of the assessment, focusing on both the organization’s internal policies and procedures, implementation and training, and the privacy and security requirements found within each BA and/or subcontractor agreement.
By Grant Peterson, J.D., chief compliance officer and founder of HIPAA Analytics. Grant specializes in HIPAA and HITECH Act privacy and security audits, implementation, remediation and attestation to healthcare organizations and business associates. Grant holds a BS degree in Public Administration from Minnesota State University, and a Juris Doctor degree from Hamline University School of Law.