One of the most challenging issues for health care organizations is ensuring business associates can be trusted with PHI (Protected Health Information). Of the 11 million people affected by report-able data breaches between September 2009 and June 2011, 6 million, or 55%, were affected by data breaches involving business associates, according to the federal government. To review the list of breaches involving business associates published by HHS click the following latest data breach report: https://docs.google.com/spreadsheet/ccc?key=0ArhiA7aQWV1XdEFfNlNPTkxJbWxPbFJvY1d1ajJCOHc
Healthcare organizations often use the services of a variety of contractors and businesses. The HITECH act allows covered entities to disclose(minimum necessary) protected health information(PHI) to these “business associates” if the covered entities obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule:
Have you identified your key business associates handling PHI that you create, receive, maintain or transmit?
Do you review your contract periodically with your key business associates?
Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices?
EHR 2.0 provides consulting services by partnering with leading law firms to assess your business associates based on several key factors:
Corporate size of the BA
Volume of data accessed by BA
Number of facilities serviced by BABA
Type of services provided by BA
Complexity of services provided by BA
Location of BA
Previous data breaches, complaints or incidents involving BA
Our Business Associate Assessment and Monitoring services combines the above guidelines and following guidelines chart to provide an assessment report periodically about your key business associates:
Who is a business associate?
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
A member of the covered entity’s workforce is not a business associate.
Examples of a Business Associate
A third party administrator that assists a health plan with claims processing.
A CPA firm whose accounting services to a health care provider involve access to protected health information.
An attorney whose legal services to a health plan involve access to protected health information.
Examples of No Business Associate Relationship
If PHI is shared for treatment purposes, it’s not considered as business association relationship: