HIPAA Compliance Strategies

When It Comes to Business Associates And Your PHI, Ignorance Isn't Bliss

Reprinted from the August 2005 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

When was the last time you got a call from a business associate (BA) notifying you of a privacy breach? Conversely, when was the last time you made a call to a BA to see how things were going vis-à-vis privacy?

If your answer to both questions is "never," you are not alone. And it certainly doesn't mean the situation is OK. In fact, unscrupulous or poorly managed BAs pose greater privacy risks than a covered entity's (CE) own work force, because they are virtually, if not literally, "out of sight." Many are small, based at home and/or have no health care experience themselves, so the concept of medical privacy may be foreign to them.

"You really don't know what your BAs are doing, and you can't assume anything," observes Paige Joyner, a consultant with Compliance +, LLC., in Norcross, Ga.

One CE told her that a subcontracted nurse "stacked the charts on the trunk of the car and drove away." Adds Joyner, "I guarantee you that sort of stuff happens all the time."

Chances are, BAs are making mistakes simply because "it is hard for everyone to understand the implications of the rule," she says. And as a CE, you might not know about it unless you ask, says Joyner, even if your agreement requires the BA to tell you.

"Most CEs that I deal with think that, by virtue of their business associate agreements (BAAs), they are covered," she says. But "the majority of people have no idea what is in their notice of privacy practices, let alone their BAA."

Prior to the effective date of the rule, many CEs were "in a panic," and did little more with their BAs than simply "send the contracts out, and that was about it," Joyner says.

Limits to CE Obligations

The proposed privacy rule as first issued by the Clinton administration gave CEs much more responsibility for their BAs than they have now, and critics have complained the current requirements are insufficient. Under the proposed rule, CEs had to actively monitor their BAs and patients were considered a BA's "third party beneficiaries."

The final rule required only that CEs "enter into written contracts or other arrangements with business associates which protect the privacy of protected health information." In addition, CEs have a duty to correct any "breaches" and contract violations they are aware of that occur, and if they don't, the CE is considered out of compliance and faces the consequences of any government action.

But beyond that, HHS stated that "covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the contract."

Given this, should you do anything more? Joyner and other experts say "yes." One reason: In the event of a disclosure by someone working as your agent, a CE has more to fear from the local news media than from HHS. The damage to your reputation stemming from any public disclosure of a privacy violation could reverberate long after the investigators from HHS close their files.

In addition, you could be subject to the provisions of state privacy laws, which, if more stringent, would take precedence over HIPAA.

PHI on the Neighbor's Porch

More proactive efforts with your BAs could keep you from getting a call like the one that came to Chrissy Cluck, administrator of West Wichita Family Physicians, which described the misdeeds of one of her practice's BAs. She later severed her relationship with that BA and took steps to ensure better compliance on the part of others.

The group has six in-house transcriptionists who handle 70% of the work generated by the 21 physicians in the practice. Cluck was distressed to discover that a transcriptionist the practice had used for years was leaving tapes and other materials on her front porch for individuals who worked for her to pick up, and they dropped them off there, too. The materials were kept in some kind of container, but were not secure.

"We had no idea that this was happening," Cluck says.

The complaint got to Cluck in a roundabout way — the woman's neighbor called the state medical society, told someone there what she had discovered, and indicated that she thought the woman worked for Cluck's practice. The individual from the medical society then called Cluck.

Prior to the compliance date of the privacy rule, the transcriptionist signed a BA agreement indicating she would observe privacy requirements. When confronted, the woman said she knew when persons would be arriving or leaving the materials, so she didn't think there was anything wrong with what she was doing. However, she agreed to stop leaving the materials on her porch.

After this incident, Cluck developed an addendum to the BAA that specifically addressed leaving PHI unguarded and had this woman and two other transcription companies sign it.

About a year later, Cluck consolidated all her transcription work with one firm and terminated her work with the other two, including the woman who had committed the violation.

"We were given a better [financial] offer, and that little incident didn't help," Cluck says of her decision to stop using the one firm. After the association was ended, Cluck had the woman sign a document indicating she had destroyed the information she had.

The woman who now handles all the overflow transcription work also operates from home "but she is a bigger company. She is very secure," says Cluck.

This is the only incident Cluck has become aware of involving one of the group's 20 or so BAs, which all have BA agreements with the practice. Cluck has BAAs with the firm that does Holter monitor readings, for example, and with the group's accountant. She even had a consulting radiologist sign a BAA, even though as a treatment provider one is probably not required.

"He does come on site, but he goes to other offices and is able to bring up our [patient data] at other facilities," so she thought a BAA would be a good idea, Cluck says.

The experience did not sour Cluck on home-based subcontractors. "It did make me realize how [violations] can happen, but I did not feel it was necessary at the time to go back and check up on everybody," Cluck says.

Is Being Choosy With BAs Itself a Safeguard?

Privacy officials at Olympic Medical Center in Port Angeles, Wash., believe the careful selection of contractors should hold the 126-bed hospital in good stead when it comes to the behavior of its BAs.

The hospital has a decentralized approach to its BAs; each director, or department head, was responsible for obtaining a signed agreement with BAs he or she uses.

"We have not required our hospital directors to do any monitoring of BAs," says Mic Sager, associate compliance officer. "We believe this approach is supported by industry norms and both the letter and spirit of the regulations. We trust our business partners to honor their agreements with us, and upon learning of any infractions, we will take appropriate action."

Vendors are selected based on a "fairly decent vetting process" as well as through arrangements made by the purchasing cooperatives that Olympic uses. "We give a lot of credence to that," Sager says.

"It becomes a cost issue. What is more important — to monitor the guy who fixes our X-ray machine or to have another nurse on the floor?" asks Sager.

BAs that are larger know about HIPAA and have made pledges to their CEs "I will be as good as you are" when it comes to privacy compliance, says Sue Miller, chief privacy officer for Health Transactions, a consulting firm based in Jacksonville, Fla. Miller is also active in a number of national HIPAA organizations and forums.

Intensive monitoring of your BAs may not be necessary, but you should have a process in place to assess their performance at least once a year or at the time you renew their contracts, she says.

She advises streamlining your BAAs so that you are asking each BA to perform the same way, in terms of reporting, training and other compliance activities. Try to keep all your agreements in an organized database so you know when renewals are coming up, and you are able to see which ones might be generating more concerns and problems than others. This will allow you to focus your efforts where they are most needed, Miller says.

Miller recommends developing a "fairly simple" reporting system that is heavy on understanding and light on punitive measures, to encourage BAs to report breaches to you. Both the CE and the BA should know who their contact person is within each organization.

"Make it a hand-holding situation," says Miller. Don't call it a violation, at least not right away. If you share information in a pleasant way, instead of an adversarial way, you are going to get much better care of PHI and electronic PHI" by your BAs.

Steps to Take With BAs

Other tips, provided by Joyner and Miller, include:

• Consider visiting your BAs, especially those that handle a lot of PHI, and review their safeguards and policies and procedures.

Include BAs in formal staff training, especially if they are small, previously unknown to you, complete their work at home, or perform a function that is not clinical, such as an accountant.

• Short of including the BA in training, make your training materials available to your BAs.

• Put BAs on your routing list for privacy and security updates. Reinforce the privacy rule at monthly meetings and invite your BAs to attend. Or invite them to talks or seminars you might offer to your work force.

• Ask specific questions based on your knowledge of how the BA functions. For example, ask the home health agency or durable medical equipment dealer how their personnel keep PHI under wraps in a patient's home. Find out how often a fax has been misdirected by your BAs, and whether your BAs use other people to work for them.

• Inquire of your BAs as to whether their workers ever bring PHI home, and how they keep it secure during travel and while at their residence. Do they use the same computer as their children, for example?

• Be alert to the value your PHI might have to the BA, especially if they are a clearinghouse or other entity that handles electronic transactions. Ask if they ever reuse it, sell it or collect it for databases or other purposes. If so, insist they de-identify the data and sign a data use agreement with you.

Advertise With AIS

Privacy

Site Map