Healthcare News & Insights

How contracts can help ensure partners’ HIPAA compliance

Like it or not, your hospital is being held accountable for more than just its own cybersecurity. And how your business associates (BAs) handle cybersecurity could come back to haunt your facility. 

social networkingReason: The Department for Health & Human Services’  Office for Civil Rights (OCR) requires hospitals to ensure their BAs are taking the correct steps to guard patients’ protected health information (PHI). And when the next round of HIPAA audits kicks in, the OCR will be looking to see that both facilities and their partners are meeting their HIPAA obligations.

Unfortunately, many BAs aren’t fully aware of what those requirements entail. But there are steps you can take to change that.

Ensuring controls in contracts

The key to ensuring BAs address their cybersecurity obligations is to spell out those duties early on in your third-party contracts, according to Mitchell Parker, the chief information security officer at Temple University Health System in a recent Healthcare IT News article.

BA contracts are important for determining things like HIPAA breach liability, but providers often gloss over other important factors in contracts, such as BA risk management, Parker says. Contracts should address issues like what security steps must be taken, and how often a BA’s security assessment will be monitored and audited.

However, it’s important contracts don’t just touch on the technical safeguards. They need to designate what procedural controls need to be in place, too. For example: Does your BA have policies in place to limit who can access PHI and when?

Additionally, Parker says its important to look at whether a BA’s procedural controls include custom codes and programming at the same security standards as your facility.

“That’s a big consideration you have to take a look at especially when you’re securing PHI,” Parker says. “And especially when considering a very large amount of electronic medical record data in the United States is actually now stored on the cloud.”

Another BA pitfall

Ensuring HIPAA compliance doesn’t only apply to software and health IT vendors. If your hospital works closely with physician practices, you may also run into compliance issues there.

Many smaller practices are unsure about certain HIPAA requirements, particularly in regards to new electronic and mobile devices, says a new study from NueMD, a healthcare software developer.

After talking to the staff of over 1,000 providers, researchers found:

  • 27% of practices hadn’t cataloged their electronic devices
  • only 31% felt “very confident” their electronic devices were compliant, and
  • just 18% were “very confident” their mobile devices met compliance standards.

As HIPAA regulations continue to develop, hospital leaders will have to find ways to hold their partners accountable for guarding PHI effectively. One way might be to compile a list of information resources your BAs can use to better educate themselves on their HIPAA duties.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.