The delivery and financing of healthcare is a complex undertaking and health care providers and payers often rely on business partners (a.k.a. business associates) to satisfy the needs of patients and members. These relationships frequently involve the exchange of protected health information (PHI) while the business associate performs services such as revenue cycle management, care management or quality improvement, just to name a few.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) originally regulated the behavior of business associates through contractual relationships with covered entities. However,
in 2009, Congress made business associates directly accountable for complying with many of HIPAA’s regulations. As a result, many covered entities are struggling how to assess their business associates’ compliance with HIPAA’s regulations.
Manatt, Phelps, & Phillips, a law firm working with the California Healthcare Foundation, surveyed 16 covered entities to learn more about how business associates and covered entities are collaborating to satisfy HIPAA’s privacy and security requirements.1
Findings and Recommendations
The survey participants made the following recommendations for improving compliance with HIPAA.
a.) Education and Training
Both covered entities and business associates suggested that smaller organizations might benefit from additional education and training. Many small providers focus on patient care activities and lack the resources to provide comprehensive privacy and security training or complete risk assessments.
Additionally, some survey participants in suggested trade associations or federal/state government agencies would be a good source for training materials and live training. Examples of organizations included: county medical associations, professional societies, state and county medical associations, and state hospital associations.
Another suggestion was that business associates establish mechanisms to share best practices for compliance and information related to HIPAA privacy and security to minimize the need for each organization to reinvent the wheel.
b.) Voluntary Third Party Certification
Some survey participants suggested that an outside third party certification process for business associate compliance with HIPAA would be useful. A voluntary certification process would ensure that business associates consistently meet a baseline of HIPAA compliance so that covered entities could be confident of their compliance and not have to perform a significant amount of due diligence over and over again.
Several certification processes already exist in the healthcare industry. They include:
1. Statement on Standards for Attestation Engagements (SSAE) No. 16, developed by the American Institute of Certified Public Accountants, Inc. It addresses organizational controls relevant to entities’ financial reporting, IT and related processes. The SSAE No. 16 replaced the Statement on Auditing Standards (SAS) No. 70, which was a widely recognized auditing standard.
2. The Health Information Trust Alliance (HITRUST) developed a common security framework that “harmonizes the requirements of existing standards and regulations, including federal, third party, and government.” Covered entities and business associates can perform assessments against the healthcare specific framework and receive a certification that may be shared with relevant parties.
3. The Electronic Healthcare Network Accreditation Commission (EHNAC) is a standards development and accrediting body. EHNAC offers certification of organizations’ regulatory compliance with HIPAA, HITECH, ARRA, and the Affordable Care Act.
c.) Other strategies identified by the survey participants included:
1. Standardization of compliance assessments and questionnaires
2. Assessment tools for evaluating and managing business associates
3. Education and training on business associate relationships
4. Compliance officer peer networks
Business associates and covered entities are key players in the delivery of health care, but many struggle with HIPAA compliance as they focus their limited resources on their core businesses and patient care.
There are many business associates and covered entities that do not believe they need additional education and training on HIPAA compliance. However many smaller organizations with limited resources often turn to publicly available training materials, and many times these are too general or not user friendly.
As covered entities struggle with the best approach to assess business associate compliance, some are turning to the third party certification process as a way to ease the burden on business associates and covered entities alike.
Finally, many in the health care industry are calling for the standardization of business associate agreements as well as innovative tools and services to help small and new business associates understand and comply with HIPAA. Read additional information about the survey and its findings here.
1 Paper – Business Associate Compliance with HIPAA: Findings From a Survey of Covered Entities and Business Associates, 2014, Manatt, Phelps & Phillips and The California HealthCare Foundation, www.chcf.org/