Wed, Apr 3, 2013
On January 25, 2013, the Department of Health and Human Services (HHS) issued the HIPAA Omnibus Final Rule to modify HIPAA Privacy, Security, and Enforcement Rule pursuant to the HITECH Act, extending certain provisions of the HIPAA Privacy Rule and adoption of the Security Rule to Business Associates (BAs) – including subcontractors who qualify as BAs.
Chief among the HIPAA privacy and security requirements of BAs and subcontractors is a required risk analysis to assess potential risks and vulnerabilities to Protected Health Information (PHI):
§ 164.308 Administrative safeguards. (a) A covered entity or business associate must, in accordance with §164.306: (1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
Moreover, HIPAA rules require that covered entities (and BAs, in the case of their subcontractors) enter into BA contracts to ensure that the BAs or subcontractors will appropriately safeguard PHI. The BA contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the BA or subcontractor, based on the relationship between the parties and the activities or services being performed:
(a)(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(4) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable.
(2) Implementation specifications (Required).
(i) Business associate contracts. The contract must provide that the business associate will—
(A) Comply with the applicable requirements of this subpart;
(B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and
(C) Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410.
As a result, in order for BAs and/or subcontractors to ensure a successful risk assessment, several key factors must be considered by the assessment team; for example, consideration must be given to provisions within each separate BA contract. An assessment team should consider the following key factors when examining BA and/or subcontractor agreements as a part of a risk assessment:
HIPAA Standards
Business Associate Contract Inventory
Policies and Procedures, Implementation and Training
Documentation
Assessment teams should keep in mind the significance of the assessment, focusing on both the organization’s internal policies and procedures, implementation and training, and the privacy and security requirements found within each BA and/or subcontractor agreement.
By Grant Peterson, J.D., chief compliance officer and founder of HIPAA Analytics. Grant specializes in HIPAA and HITECH Act privacy and security audits, implementation, remediation and attestation to healthcare organizations and business associates. Grant holds a BS degree in Public Administration from Minnesota State University, and a Juris Doctor degree from Hamline University School of Law.
The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.