HEALTHCARE PROVIDER ORGANIZATIONS rely on a variety of entities to help them carry out healthcare activities and func- tions. If these entities create, maintain, or transmit protected health information (PHI) on behalf of a provider organization, they are considered a business associate (BA) under HIPAA. The broad definition of a BA under HIPAA encompasses many different types of vendors. PHI disclosure management vendors are examples of BAs, and often they can be trusted partners who offer valuable guidance and best practices to help provid- ers stay compliant with the HIPAA Privacy and Security Rules. Other BAs may not be so obviously tied to privacy and secu- rity compliance, including food service companies, document
shredding vendors, physician answering services, revenue cycle
management subcontractors, and many others.
Regardless of the type of BA, provider organizations need to
conduct due diligence and execute business associate agreements (BAAs), ensuring these partners have HIPAA-compliant
policies and safeguards in place to protect the security and privacy of patients’ PHI. Even with a BAA, breach risk and HIPAA
compliance should be continually assessed as the provider organization conducts its own risk analysis.
BAs Pose Risks to Provider Organizations
In recent years, BAs have come under greater scrutiny by the
US Department of Health and Human Services’ (HHS) Office
for Civil Rights (OCR), which investigates and enforces reported HIPAA-compliance violations. With the enforcement of the
HIPAA Final Omnibus Rule in 2013, BAs can now be held liable
for violations of the HIPAA Security and Breach Notification
Rules and certain provisions of the HIPAA Privacy Rule. New
this year, BAs began facing OCR Phase 2 HIPAA audits.
This recent attention stems, in part, from the large amount of
electronic PHI (ePHI) that BAs hold, which puts providers and
their patients at risk. For example, North Memorial Health Care
(NMHC) made a resolution agreement payment to OCR of more
than $1.5 million this year after the theft of an unencrypted,
password-protected laptop from a BA employee’s locked vehicle impacted the ePHI of 9,497 individuals. NMHC did not have
a BAA with its BA, which was performing payment processing
for the provider.
Similarly, Raleigh Orthopaedic Clinic, P.A. of North Carolina
paid a $750,000 resolution agreement payment after it released
more than 17,000 X-ray films to a BA without a BAA. The BA,
which claimed it would digitize X-rays for the clinic, was actually a fraudulent company that sold the films to a recycler to be
harvested for silver and never created the electronic images.
This example, in particular, highlights the importance of having
BAAs and conducting due diligence of BAs.
Conducting Due Diligence
Conducting due diligence of BAs is essential before the partnership begins, but also as part of the provider’s ongoing risk analysis. The first step is to develop a questionnaire for the BA, or
potential BA, to provide attestation or documentation of compliance. If red flags are identified, then a more in-depth review
or assessment should be conducted. Some red flags, such as ignoring or inadequately responding to a questionnaire, should
immediately disqualify the BA from consideration.
When deliberating these red flags, some may be riskier than
others. The bottom line is provider organizations should only
consider BAs who are willing to complete questionnaires and
answer questions about how they protect PHI privacy and en-
Reduce BA Risk
By Mariela Twiggs, MS, RHIA, CHP, FAHIMA, and Sara Goldstein, Esq.