As the title implies, business associates have once again escaped the radar of oversight and enforcement by the Federal Government. The Office of Civil Rights’ (OCR) recent announcement and description of its long-awaited random compliance audit program omitted real attention to business associates, which is the segment of the larger healthcare community working with or for covered entities (CE) who have access to, or in some cases custody of, patient information. One would have thought that by including these organizations specifically in the HITECH legislation they would have also received an equal share of attention, but apparently not.
What this means is that CEs will have to continue to shoulder the burden of improving their processes for selecting and overseeing business associates to mitigate their risks, which can be significant. Two recent experiences illustrate this point: The first scenario involves a CE, who by sheer happenstance, learned that a business associate with custody of a considerable amount of its patient data, had without its knowledge or consent, outsourced its own storage of information (and by default theirs) to a small public cloud vender. When the CE inquired about the incident, security answers were not forthcoming.
The second scenario involved a small transcription company with several hundred clients. The transcription service provider was hosting its client’s data on servers located in the owner’s private home and a small regional Internet Service Provider (ISP), both of which did not even utilize basic network security functions such as firewalls. The service provider had never been questioned regarding its security, and a client had never request a tour of its facilities—had this happened, the business associate’s lack of security measures would have certainly been an eye opener. These two examples are not uncommon and clearly depict the risks that exist for both CEs and patients. All one has to do is look on the OCR breach list on its Web site to understand that business associates represent a considerable risk to patient information and to represent a real concern for CE reputational risk.
- What we need for business associates is:
- Education on security regulations and implications
- More rigorous screening criteria by CEs during selection processes
- Appropriate requirements for data protection in contractual agreements to include clear termination requirements for disposition of data in business associates possession
- Equal oversight and accountability regarding investigations and audits.
Business associates represent a critical component of the healthcare community and should receive appropriate attention.
