In the recent article “Your Business Associates Hold Your HIPAA Compliance Future in Their Hands: Eleven Things You Can Do,” the author, Marla Durben Hirsch, provides commentary for a recent issue of Medical Practice Compliance Alert and raises some important questions for practices and their Business Associates. Hirsch offers caution surrounding the heightened risks of BAs who employ remote employees with access to PHI, commenting, “Business Associates who farm out work create more risks for your patients’ PHI.”
Short answer: we agree! This article makes excellent points about BAs and the need for a full vetting process when choosing a Business Associate who will have access to your PHI.
Long answer: Most of these 11 suggestions are great – BUT, a Covered Entity wants to be careful not to cross a line and dictate to the Business Associate what they have to do, i.e. restrict telecommuting policies. Doing so creates an “agency” relationship, and then all liability comes back on the covered entity.
The beauty of Business Associates is that they take on the liability for certain activities that previously would have been held by the CE. If we, as the BA, have a breach, it’s our responsibility. We alert the Covered Entity and as a courtesy determine who will alert the patient, the CE or us as the BA. Ultimately, we maintain that liability, and we answer to the Office of Civil Rights, just like Covered Entities do. The Office of Civil Rights might enter into a settlement with a CE because they didn’t properly vet a BA, but in the end, if the BA is at fault for a large breach, the BA would answer to the OCR.
It goes without saying, healthcare is a HUGE industry with many moving parts. While the 11-item list in the article is helpful, we would argue that there is not something so simple as a checklist or generic Business Associate Agreement to vet a BA. Even at ScanSTAT, we frequently have Covered Entities who send us agreements that include a blanket statement we will give them full access to our records – we simply cannot do that. We strike this from agreements, citing privacy concerns to protect PHI.
A good Business Associate seeks to maximize security and compliance for CEs at all times and in all circumstances. While the article cautions that a BA who utilizes remote employees is cause for concern, reputable BAs don’t haphazardly “farm out” work. We agree that to do so would introduce unnecessary risks and potential breaches. In our case at ScanSTAT, we hand select HIM professionals with experience in a clinical setting and require them to undergo rigorous training and our certification process – whether those employees are located in our office or working from home. Over the many years of offering ROI services, we’ve built safeguards, training processes and technology that enables both our in-house staff and our remote staff to operate efficiently and securely at all times.
ScanSTAT does not take our position as a trusted partner and business associate lightly. We’ve selected and developed an excellent team of people committed to compliance and staying on top of security issues in a rapidly changing industry. We’ve engaged with the best in the business, like CynergisTek, to essentially do an independent audit of us so we can continue to improve. Additionally, we fully track any suspected incident, working to mitigate risk to any PHI impermissibly disclosed. Our 2016 Error Rate, defined as total breaches and violations handled by ScanSTAT which resulted in unauthorized disclosures, was about three hundredths of one percent (0.0301%) – an extremely small number. We publish our annual statistics in an effort for transparency in our partnerships with Covered Entities and to illustrate our continued commitment to patient privacy while keeping PHI safe.
The point the author is reinforcing, wisely so, is that PHI is sensitive, and as such, you need to fully vet your Business Associates and hold them to a certain standard. While we recognize no one is perfect, conscientious Business Associates like ScanSTAT work diligently to keep error rates as close to zero as possible – remote staff or otherwise.
About the Author
Kathryn Ayers Wickenhauser
Regulatory Compliance Advisor