Why healthcare professionals should choose their business associates wisely
For those in the healthcare industry the protection of sensitive data has long been a prime concern ensuring the on-going security of Protected Health Information (PHI). Known as ‘covered entities’, healthcare professionals and organizations have a responsibility to ensure all health information is secure at every stage of handling – especially when other vendors are involved.
Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must ensure business associates (BAs) enter into a Business Associate Agreement (BAA) to safeguard PHI. As such any individual or organization that conducts business with covered entities must adhere to and comply with the HIPAA Security and Privacy rule. Noncompliance is detrimental – both BAs and covered entities are held accountable and penalized should a data breach occur.
So what do covered entities need to consider when it comes to BAs?
1. That vendors identify themselves as BAs
As a covered entity you may have a preferred partner, be looking to renew contracts or move to a new vendor – but can they assure HIPAA compliancy? Clarity is key when dealing with third-parties. If a vendor is working in association with your business or providing services that result in the handling of PHI, seek reassurance that they recognize themselves as a BA.
2. How do your BAs process sensitive data?
If you don’t know, it would be wise to find out. It is beneficial for you to understand how your BAs collect, store, process and transfer PHI. Placing your trust in a BA shouldn’t be done lightly without a full understanding of how data flows through the business. A business associate agreement (BAA) will contractually outline the use of PHI by the BA. Never release or disclose PHI to business associates unless both parties have a business associate agreement (BAA) in place.
3. Check the fine print
Under no circumstances should you sign a BAA without having thoroughly read and understood the agreement. Take the due diligence to liaise with your BA to tailor the agreement to your business needs. A strong relationship with your BA can strengthen your business processes, and by fully establishing responsibilities upfront you can avoid costly problems should an error occur.
Remember, HIPAA compliance is only one piece of the puzzle for healthcare professionals, but keeping these tips in mind makes you one step closer to securing PHI.
For more about Sfax and HIPAA click here.