The Office of Civil Rights (OCR) of the Department of Health and Human Services issued a warning stating that covered entities should expect and prepare to mitigate the damages of breaches as a result of their business associates (BA). In an article published in Healthcare IT News by Jack McCarthy entitled “OCR cautions hospitals to prepare for breaches at business associates” , he quotes OCR that most covered entities (CE) don’t believe their BAs will notify them of a breach. The CEs also state they cannot determine if their BAs have proper security measures in place to prevent and mitigate a breach.
The recent announcements by OCR concerning the next round of audits also indicate increased focus on BAs. Published data I have seen indicates BAs account for about 40 percent of breaches. The average time to discover a breach is over 220 days and the discovery is often by an independent third party. It is easy to see why CEs are not feeling very confident. How do you increase that confidence level?
Should all BAs sign a Business Associate Agreement regardless of their role which states they will provide the required security to protect the PHI? Formally confirm they have performed their annual security risk assessment and are “substantially” compliant? Provide a copy of their risk assessment? That is very sensitive company data to give to another company.
No matter what data is provided, if the CE doesn’t have confidence in the BA, the documentation doesn’t matter. The CE and BA must develop a strong business relationship based on trust and confidence. In that way, both parties will support each other and work to mutually protect patient PHI. Each should start with a Security Risk Assessment to enhance HIPAA compliance and identify risks. From there, work to address deficiencies and collaborate to strengthen the business relationship to better protect patient’s PHI.