The digital vendors you choose to help run your behavioral health practice will determine your business success level. Ultimately, your vendor’s vulnerabilities are your vulnerabilities. That is why the HIPAA standard regulation emphasizes the importance of business associate compliance. HIPAA business associate vendors must be compliant with HIPAA standards. So how do you ensure that you are choosing HIPAA compliant vendors?
What is a Business Associate?
Not all vendors are considered business associates, but many are. What is a business associate? A HIPAA business associate is any vendor that creates, receives, transmits, or stores protected health information (PHI) on behalf of a healthcare practitioner or organization. Common business associates include electronic health record (EHR) platforms, teleconferencing tools, online appointment schedulers, email service providers, text-messaging services, healthcare apps that transmit information to EHRS or other practitioner-based technology, and electronic billing or payment software. See TBHI’s previous articles HIPAA Compliant Vendors and HIPAA Business Associates, for more information. When choosing which business associate vendors are appropriate for your practice, healthcare professionals are obligated to vet them to ensure HIPAA compliance.
What Makes a Vendor HIPAA Compliant?
Many of the requirements you need to meet as a behavioral health practice also apply to business associates. HIPAA business associates must ensure the confidentiality, integrity, and availability of PHI. They must implement safeguards to prevent unauthorized access or disclosure of PHI. HIPAA compliant business associates must implement the following:
- Access Management. One of the most important parts of HIPAA compliance is controlling who has access to PHI. With most PHI stored in an electronic format, access management is the best way to do so. Multiple access management components include user authentication, access controls, and audit logs. User authentication enables unique login credentials for each user of a platform or software. The HIPAA minimum necessary standard requires PHI access to be limited to only the information needed to complete a specific task. Employees can be given access to only the PHI they need to perform their job functions through unique login credentials, known as access controls. Access to PHI must also be tracked to ensure adherence to the minimum necessary standard. Keeping audit logs accomplishes this. Audit logs record which employees access what data and how long they access it. By tracking PHI access, regular access patterns are established for each employee, enabling inappropriate or unauthorized access to be quickly detected.
- Data Security. Hacking continues to be a cause for concern across the healthcare sector. The best way to prevent hacking incidents is through end-to-end encryption (E2EE). E2EE prevents unauthorized access to data from transmission to receipt. Although HIPAA does not explicitly mandate encryption, the Security Rule states that “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose not to implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.”
- Data Backup. HIPAA requires businesses working with PHI to implement data backup procedures. Data backup consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI). Data backup is essential in the case of a breach or natural disaster as it facilitates business continuity and the upkeep of patient care.
- HIPAA Business Associate Agreement. A vendor cannot be considered HIPAA compliant if they do not sign HIPAA business associate agreements (BAAs). Whether or not a vendor secures client data, they cannot be contracted as a business associate vendor if they will not enter into a BAA with their healthcare clients. A BAA is a legal contract between a healthcare provider and their business associate vendor. This contract requires each singing party to certify its HIPAA compliance and agree to maintain its compliance. A HIPAA business associate agreement is essential to compliance as they ensure that each party will implement measures to safeguard the confidentiality, integrity, and availability of PHI.
This Article is Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help!
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!