We wrote about the risks of Business Associates (BAs) to patient information. The reality is many Business Associates have no idea of the requirements of HIPAA or the real risks to patient information. And even though all Business Associates will be responsible for complying with the HIPAA Security and Omnibus rules come September that may not change the current landscape. Many of these Business Associates have signed Business Associate Agreements (BAAs) but many have not done much more to ensure that they are complying with HIPAA and protecting patient information properly.
Many medical practices have outsourced IT companies to help support their networks. As they implement EHRs these networks become more and more complex. Unfortunately many of these IT companies do not fully understand the HIPAA requirements. These IT companies may have medical practices as clients but they also have car dealerships, retail stores, and a variety of other clients. These BAs might sign BAAs with medical practices but the question is what have they done to ensure compliance with HIPAA and to ensure that their employees understand the risk of protecting patient information.
Medical Billing companies have on-going access to patient information. And after you sign a BAA with them and give them access to patient information, do you know how they are protecting that information? Have their employees been trained on HIPAA security? Do they understand the risks of portable media, smartphones and laptops? Do they know the dangers of posting patient information on social networks? Maybe they do but then again maybe they don’t.
We singled out IT companies and Medical Billing companies but the reality is the same argument can be made for all BAs. On the other hand, there are some BAs that take HIPAA security very seriously, that have performed a risk assessment, have written policies and procedures and have trained their employees on protecting patent information. The problem for medical practices is figuring out which BAs have taken HIPAA seriously and which have not.
Don’t ask, don’t tell
If you are not asking for proof of compliance from your BAs you will have no idea if they understand how to properly protect patient information. Here are a few simple questions to ask of all your BAs:
- When was the last time your performed a HIPAA risk assessment? Can you show us your last risk assessment?
- Do you have written policies and procedures on protecting patient information?
- Have all your employees been trained on protecting patient information? Are the employees that will be accessing our information properly trained?
- In the event of a breach do you have a response plan? Can we see what your plan looks like?
By asking these questions you will quickly find out which vendors have taken HIPAA seriously and which have not. Signing a BAA with a Business Associate does not ensure compliance with HIPAA regulations.
Remember if your BA has a breach with your patient information, it will be your patients that get notified. It will be your reputation that is damaged.
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your Business Associates.
Now there is no reason why Business Associates have not trained their employees on protecting your patient information.