Tag: Carol Amick

Are Your Vendors Putting the PHI of Your Patients At Risk?

By Carol Amick, manager of health care services, CompliancePoint.  

Carol Amick

As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing selected services.  One report indicated that 98 percent of the hospitals surveyed were either actively considering outsourcing or had already done so. [1] Outsourcing is expanding beyond non-core functions to clinical areas, as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the organization.

However, outsourcing and relying on vendors to perform activities that involve access to PHI increases the risk to a covered entity. Over the past three years, the Health and Human Services Office of Civil Right (OCR) has issued approximately $6 million in financial penalties where failure to obtain a signed HIPAA compliant business associate agreement (BAA) from at least one vendor was either the sole reason for the financial penalty, or contributed the severity of the penalty.[2]

The HIMSS 2019 Cybersecurity Report noted that 30 percent of the healthcare vendor respondents had not experienced a significant security incident in the prior 12 months.[3] This means that 70 percent had experienced a significant security incident.

HIPAA requires that covered entities have a BAA with vendors that have access to PHI to perform duties on behalf of the covered entity, or if electronic PHI (ePHI) passes through their systems. The HITECH omnibus rules require that business associates comply with the security rule with regards to ePHI, report breaches of unsecured PHI to the covered entity, comply with applicable requirements of the privacy rule, and ensure their subcontractors agree to the same regulations[4].

While a BAA does provide a covered entity with some legal assurances, a BAA does not necessarily indemnify a covered entity against financial penalties for a breach if the covered entity failed to obtain “satisfactory assurances” of the vendors security.[5] Nor will a BAA won’t protect the entity’s reputation. Quest Diagnostics recently experienced a breach by one of their vendors of financial data for approximately 11.9 million patients.[6] While the breach was the fault of the vendor the media focus and public attention is on Quest Diagnostics. 

It’s important to consider if the data an organization is entrusting to a vendor is protected. What is the organization doing to ensure vendors who access ePHI understand their obligations and expectations? 

The steps below should be performed at least annually to help organizations ensure that their vendors are securing their data. Covered entities may do this internally or enlist the services of an independent agency to do the review.  

Verify the Organization Has Required BAAs

Organizations must compare their vendor master file against their BAA file. Many organizations know they set up processes to obtain BAAs when the Health Information Technology for Economic and Clinical Health (HITECH) Act, regulations related to business associates were released in 2013[7] and accounts payable has been trained not to process a check without a BAA. However, experience shows that if there is a way around those controls someone will have figured it out! Vendors can get established without BAA when you merge or acquire another provider. Vendors can get established without a BAA when an emergency purchase is made from a vendor. Vendors can change ownership without providing you with notice that you need an updated BAA.  

Reviewing the vendor master file should begin with elimination of vendors that the organization knows are not BAAs, such as utilities, employee expense reimbursement, contracted physicians, etc. The organization should then look at all remaining vendors and determine their use and access to PHI. The process can be time consuming and painful, but if this basic first step is never done, an organization will never know if they have identified the vendors that are putting the organization at risk. At the end of this process, the organization will have two lists; vendors with BAAs and vendors without BAAs.

Evaluation of Vendors

Once the organization has a list of vendors that access their PHI, they need to determine “what are these vendors doing to protect patient PHI.” Some questions organizations should ask themselves:

Evaluation can be done in a number of ways. If a vendor is audited annually to maintain their HITRUST certification, or they have a SOC II or other audit done to validate their security controls, ask for the reports. Furthermore, they should be reviewed to make sure that the controls the organization is relied upon to protect ePHI are functioning. If the vendor doesn’t have an independent review, the organization may need to do their own review.  Reach out to the vendor and talk to them about their security. Covered entities may find it helpful to survey their vendors on security.  

If a vendor doesn’t want to provide information, or can’t provide good data, the organization needs to perform a risk assessment to determine if they are willing to accept the risk presented from the lack of information. 

Update BAAs

After doing the two steps above, organizations should have listings of their vendors and their BAAs. For vendors with BAAs, review those BAAs. Have the agreements been updated to reflect the HITECH Omnibus requirements? Are the agreements complete with the names of both parties and the appropriate signatures? Is the contact information correct? If the vendor doesn’t have a BAA, it’s past time to get a BAA. If the vendor with access to PHI refuses to sign a BAA, it’s time to terminate that relationship!

Monitoring vendors for PHI security is not a “one time” review. A vendor who had a great security person who understood HIPAA and the organizations requirements, can have a financial set back and replace the experienced Security Director to save money. A vendor who assured an organization that their data was stored and processed in the US can suddenly outsource to an offshore location for processing of the account. While this monitoring can take time and resources, as many have learned in healthcare — a little prevention can often head off a major issue.  


[1] https://www.prnewswire.com/news-releases/by-2022-average-hospital-costs-must-be-reduced-by-24-to-breakeven-and-outsourcing-may-be-the-solution-says-black-book-300643743.html

[2] https://www.hipaajournal.com/hipaa-business-associate-agreement/

[3] https://www.himss.org/2019-himss-cybersecurity-survey

[4] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

[5] https://www.hipaajournal.com/hipaa-business-associate-agreement/

[6] https://www.washingtonpost.com/business/economy/quest-diagnostics-discloses-breach-of-patient-records/2019/06/03/aa37b556-860a-11e9-a870-b9c411dc4312_story.html?utm_term=.ef131df9330b

[7] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html

HIPAA Audit Provides Lessons On Risk and Implementation

By Carol Amick, manager of healthcare services, CompliancePoint.

Carol Amick

According to the United States Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.

According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.

Analyze the past, to avoid making the same mistake twice

It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.

Perform a risk assessment and GAP analysis

One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a GAP analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization, and puts them at a significantly higher risk. According to HHS and OCR guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.

A HIPAA GAP analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.

Continue Reading