Tips on finding the right HIPAA Business Associate?

The federal law of the Unites States demands that every health care provider and vendor adopts adequate measures to protect sensitive patient data by ensuring that the IT component of the system is in place. The mounting pressure to do so has paved way for strategic review to ensure complete compliance of the law and quality delivery of health care services. While these aspects are important, the other big concern for health care providers is the cost involved in meeting the HIPAA regulation. This is a very apparent component of the equation, which is why many health care enterprises prefer outsourcing HIPAA hosting to third-party. In past one decade, outsourcing has assisted onshore businesses and enterprise to procure quality services and resources at a cost effective price point. However, due to the sensitive nature of the HIPAA regulation, covered entities are often inhibited to outsource HIPAA hosting to a third party vendor.

Most often entities are skeptical of engaging in offshore business association due to several breaches and penalties that have been recorded as a result of HIPAA non compliance. But the benefit of resource optimization and cost efficiency of outsourcing has made it a viable choice for many. In order to strike a right balance between both aspects there is a need to follow a robust vendor selection criterion that extends the advantage of both. Here are few tips in that direction:

1. Determining the nature of service :
Before embarking on the journey to find a requisite vendor or business associate it is imperative to analyze the purpose of outsourcing and the nature of the service that one is seeking. It could vary from customer management, clinical data storage, big data management, billing process etc.

2. HIPAA Compliant :
Many business associates or data center operators use the misleading term “HIPAA certified”. This use of such term is false as there is no regularized body that recognizes HIPAA certification of any sort. The right phrase of this is “HIPAA complaint”. A business associate that is “HIPAA complaint” means that it is following requisite policies, regulations and IT protocols.

3. Request for HROC or HIPAA report of compliance :
This is a very important step before you say yes to any business associate. Those vendors who have carried out independent audit are by all means following the procedures and policies associated with HIPAA compliance. You can request you associate to give you a copy of the HROC which covers the HIPAA privacy rule, security rule, and breach notification rule.

4. Request for BAA or Business Associate Agreement :
Every year million of dollars are spent as penalty resulting due to a breach and neglect. Therefore, it is imperative to request for a BAA with you vendor. In the agreement all the checks and balances associated with handling of PHI (Protected Health Information) must be carefully laid out. Right from breach notification, contract termination, data ownership and handling of ePHI after termination should be adequately addressed in the business associate agreement.

5. Breach Insurance Protection :
This is important for instances wherein data is lost of compromised while resting with the business associate. The document must cover the cost of notification, investigation, litigation and penalties.

The outsourcing channel is amazing if you wish to minimize risk, cost and resource optimization. But as a covered entity whenever you decide to outsource HIPAA compliant hosting it is imperative to find the right partner for the job. This requires understanding of the subtle nuances associated with it. By doing so one not just covers the cost of hefty fine but also salvages reputation in the industry.

(Image Courtesy : Egnyte.com)