By Carol Amick
As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing selected services.
One report indicated that 98 percent of the hospitals surveyed were either actively considering outsourcing or had already done so. Outsourcing is expanding beyond non-core functions to clinical areas, as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the organization.
However, outsourcing and relying on vendors to perform activities that involve access to PHI increases the risk to a covered entity. Over the past three years, the Health and Human Services Office of Civil Rights (OCR) has issued approximately $6,000,000 in financial penalties, where failure to obtain a signed HIPAA-compliant Business Associate Agreement (BAA) from at least one vendor was either the sole reason for the financial penalty, or contributed to the severity of the penalty.
The HIMSS 2019 Cybersecurity Report noted that 30 percent of the healthcare vendor respondents had not experienced a significant security incident in the prior 12 months. This means that 70 percent had experienced a significant security incident.
HIPAA requires that covered entities have Business Associate Agreements (BAA) with vendors that have access to PHI to perform duties on behalf of the covered entity, or if electronic PHI (ePHI) passes through their systems. The HITECH omnibus rules require that business associates comply with the Security Rule with regard to ePHI, report breaches of unsecured PHI to the covered entity, comply with applicable requirements of the privacy rule, and ensure their subcontractors agree to the same regulations.
While a BAA does provide a covered entity with some legal assurances, a BAA does not necessarily indemnify a covered entity against financial penalties for a breach if the covered entity failed to obtain “satisfactory assurances” of the vendor's security. Nor will a BAA protect the entity’s reputation. Quest Diagnostics recently experienced a breach by one of their vendors of financial data for approximately 11.9 million patients. While the breach was the fault of the vendor the media focus and public attention is on Quest Diagnostics.
It’s important to consider if the data an organization are entrusting to a vendor are protected. What is the organization doing to ensure that vendors who access ePHI understand their obligations and expectations?
The steps below should be performed at least annually to help organizations ensure that their vendors are securing their data. Covered entities may do this internally or enlist the services of an independent agency to do the review.
Verify the organization has required BAAs:
Organizations must compare their vendor master file against their BAA file. Many organizations know they set up processes to obtain BAAs when the HIPAA Health Information Technology for Economic and Clinical Health (HITECH) Act regulations related to Business Associates were released in 2013, and Accounts Payable (AP) has been trained not to process a check without a BAA. However, experience shows that if there is a way around those controls someone will have figured it out! Vendors can get established without a BAA when you merge or acquire another provider. Vendors can get established without a BAA when an emergency purchase is made from a vendor. Vendors can change ownership without providing you with notice that you need an updated BAA.
Reviewing the vendor master file should begin with elimination of vendors that the organization knows are not BAAs, such as utilities, employee expense reimbursement, contracted physicians, etc. The organization should then look at all remaining vendors and determine their use and access to PHI. The process can be time-consuming and painful, but if this basic first step is never done, an organization will never know if they have identified the vendors that are putting the organization at risk. At the end of this process, the organization will have two lists; vendors with BAAs and vendors without BAAs.
Evaluation of vendors:
Once the organization has a list of vendors that access their PHI, they need to determine “what these vendors are doing to protect patient PHI.” Some questions organizations should ask themselves:
• Do we do any periodic reviews of vendor security?
• Did we evaluate security before we started working with the vendor?
• Do our vendors have certifications they can provide to us?
• If they advertise HITRUST certification, have they sent us a current report?
• What do we know about what they are doing with our data?
• Are they sending our data offshore?
• Do they have security standards that at least meet HIPAA standards?
Evaluation can be done in a number of ways. If a vendor is audited annually to maintain their HITRUST certification, or they have a SOC II or other audit done to validate their security controls, ask for the reports. Furthermore, they should be reviewed to make sure that the controls the organization is relying upon to protect ePHI are functioning. If the vendor doesn’t have an independent review, the organization may need to do their own review. Reach out to the vendor and talk to them about their security. Covered entities may find it helpful to survey their vendors on security.
If a vendor doesn’t want to provide information, or can’t provide good data, the organization needs to perform a risk assessment to determine if they are willing to accept the risk presented from the lack of information.
Update organization BAAs:
After doing the two steps above, organizations should have listings of their vendors and their BAAs. For vendors with BAAs, review those BAAs. Have the agreements been updated to reflect the HITECH Omnibus requirements? Are the agreements complete with the names of both parties and the appropriate signatures? Is the contact information correct? If the vendor doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to PHI refuses to sign a BAA, it’s time to terminate that relationship!
Monitoring vendors for PHI security is not a “one time” review. A vendor who had a great security person who understood HIPAA and the organization's requirements can have a financial setback and replace the experienced security director to save money. A vendor who assured an organization that their data was stored and processed in the USA can suddenly outsource to an offshore location for processing of the account. While this monitoring can take time and resources, as many have learned in healthcare, a little prevention can often head off a major issue.
About the Author: Carol Amick is an experienced healthcare compliance professional with over 20 years of experience in healthcare. After starting her career at HCA she moved on to become a compliance consultant for a “Big 4” accounting firm and has since served as the internal audit director, compliance director and privacy officer for several healthcare providers. Carol has worked with post-acute care, outpatient, and acute care providers to develop and implement effective compliance programs. During her time as compliance and privacy director Carol has led numerous investigations into PHI breaches and responded to outside investigations by the OCR, OIG and other regulatory agencies.