The Department of Health and Human Services’ Office for Civil Rights is conducting these audits and, according to recent reports, business associates affected by a data breach face average fine costs of $1 million. You read that correctly but let me repeat to ensure clarity. Average of $1 million. With that said, no matter if your business is massive or minor or how far segmented you feel from direct patient care, responsibilities must be clarified on how to handle protected health information (PHI) so you do not face these fines.
Business associates have governed regulations for the Privacy, Security, and Breach Notification Rules of HIPAA and the HITECH Act. A Business Associate Agreement states and clarifies work with your covered entity, especially in regards to the Breach Notification Rule (timeframe, context, and financial liability responsibilities). And, as of last year, all covered entities are mandated to have these agreements between their business associates and those business associates with their subcontractors, and this will be one of the core criteria that auditors will be looking for in healthcare organizations over the coming years.
So what does Datica do well as a business associate and subcontractor?
HIPAA requires three different safeguards for PHI to be enacted, in addition to the business associate agreements. We feel we have mastered these core safeguards as a business associate so our covered entities never have to fear a breach on our ends.
These safeguards are inclusive of performing a risk analysis to understand what PHI you have, how it is utilized, where it is vulnerable, and what potential impacts could be if exposed. Policies and procedures should be founded from this risk analysis.
These are integrated into your internal IT procedures and systems. These are inclusive of ones that you have outsourced to vendors.
These will limit access to PHI and data storage areas to solely authorized workers on a necessity basis.
If you are a new or small organization, as many are, you most likely are not a HIPAA expert or have one on your staff. In our opinion, the best place to start is by performing a risk analysis and determine your weak points and concentrate your efforts to cover those critical areas.