How to Identify Business AssociatesKnowing Whether a Vendor is Liable Under HIPAA Omnibus
Smaller healthcare organizations attempting to determine whether vendors are business associates or subcontractors directly liable for HIPAA compliance should carefully review each company's responsibilities, says compliance expert Marjorie Satinsky.
"The big issue here is whether or not a business associate on a regular basis uses protected electronic health information to go about their business on your behalf," she says in an interview with HealthcareInfoSecurity about HIPAA Omnibus Rule compliance (transcript below).
Under the HIPAA Omnibus rule, business associates as well as their subcontractors are liable for HIPAA compliance if they "receive, create, maintain or transmit protected health information on behalf of a covered entity."
Satinksy explains: "If a billing company outsources something, the subcontractor is also liable. The chain of command goes down a little deeper than it did at the very beginning."
Healthcare organizations should carefully document their HIPAA compliance efforts along the way. "It's not only knowing who your business associates are [and] who the subcontractors are, but it's also putting all that down in a way that could be great evidence for you if somebody comes looking," Satinsky says.
In the interview, Satinsky also discusses:
- Risk assessment tips for smaller healthcare providers in complying with HIPAA;
- Why new business associate agreements are needed;
- The biggest HIPAA compliance challenges faced by smaller healthcare providers.
Satinsky is president of Satinsky Consulting, LLC in Durham, N.C., which provides business consulting services to small medical practices. She has assisted more than 80 practices with HIPAA privacy and security rule compliance. Satinsky is the author of three books and numerous articles on healthcare management and has written regularly for the North Carolina Medical Board. She has an MBA and an MA from the University of Pennsylvania as well as advanced training in healthcare negotiations from the Harvard School of Public Health.MARIANNE MCGEE: Tell us briefly about your firm and your role?
MARJORIE SATINSKY: Satinsky Consulting is a small consulting firm. We've been here in Durham, N.C., since 2002, and the services that we provide for medical clients include practice start-up and include assistance in any kind of business problem that somebody may encounter after they're already up and running.
With respect to HIPAA compliance, I see it in two different ways. I see it in practices that are starting from scratch and know nothing about it. I also see it in practices that have been in existence for a while and may have varying degrees of compliance, whether that's good or bad. I have to approach it from both different perspectives.
With respect to my own background, I ran a small pediatrics specialty practice before I opened my own business, so I'm very familiar with the struggles of running a small business and trying to do everything. ...
Biggest HIPAA Omnibus Challenges
MCGEE: In the work that you do with smaller providers, what are the biggest difficulties they're having so far with HIPAA Omnibus and why?
SATINSKY: There are two different kinds of difficulties. One is, in most small practices, the practice manager or the office manager ... is doing everything. When either a new law or revision to an existing law, such as the omnibus final rule in 2013, comes along, it's simply overwhelming for somebody who already has a full-time job. It's very challenging to have to stop what you're doing and figure out what this new law says and how this new law may or may not relate to what you've already done in your practice. I think that's number one. That's a big challenge.
Second, I would say HIPAA compliance involves two types of activities. One's related to privacy and the second is related to security. I think that the response requires two different skill sets. Privacy is primarily administrative, and the guidance that the federal government provided in 2002 when the original rule came out and, subsequently, in 2009 and now in 2013 is all about administrative procedures. To somebody in an administrative position, that's fairly straight-forward. You just do what they tell you and you do it in a way that makes sense for your practice.
HIPAA security is more challenging. HIPAA security involves your building, it involves technical issues and it also involves administrative issues. In many cases, even if you understand what has to be done, you yourself might not be the person who can best fix it. Those are the two big challenges: One is simply being overwhelmed by the enormity of the task and the second is that there are different kinds of challenges in privacy and security.
MCGEE: What steps should smaller healthcare providers take in setting up priorities for the work that they'll need to do in order to comply with HIPAA Omnibus by Sept. 23?
SATINSKY: If you can get started now then perhaps you have a chance of finishing what needs to be done in a very short time period. The first step with compliance is to use a checklist, and go through that checklist to see where you currently are.
I'll give you an example. If I'm working with an existing practice, which I'm doing right now with one where I have done HIPAA compliance before, this practice will take a checklist for privacy and security. It's my checklist. They'll go down the checklist and say, "Yes, we're doing this; no, we're not doing that." From the checklist, you create your priorities. If you're a start-up practice, you have nothing in place. You have every opportunity to get it right, right at the very start, and you still use the checklist. You go down the checklist and the checklist reminds you of all the things that you need to be doing.
Let me give you another example. ... If you're a practice and you're HIPAA compliant, you would have had a notice of privacy practices and the business associate agreements that were originally done in 2002. If you were paying attention and you updated what you were doing in 2009, you would have had to change that again. Here we are in 2013. There's yet a third set of requirements, and the question for an existing practice is do you go back and redo all the things that you had before, or do you simply start over and say, "It's new now and I might as well forget about what I had before and just take a brand new sample business associate agreement or notice of privacy practices, start with that and spend less time than I would have to spend revising what I had before?"
MCGEE: You mentioned checklists of things to do. Related to that, the lack of timely or thorough risk assessment has resulted in some big fines from the Department of Health and Human Services for a number of healthcare organizations over the last year. The department promises to ramp up enforcement even more after the HIPAA Omnibus compliance deadline passes on Sept. 23. What advice do you have for smaller healthcare providers that haven't done a HIPAA risk assessment in a very long time, if ever, and how should they get started?
SATINSKY: If you haven't done a risk assessment, you probably don't even know the right questions to ask yourself. I would certainly seek guidance from an external organization. I'll give you some examples of the places that I go to look in order to create the risk assessment questions for my own clients. I would go to Medical Group Management Association and Healthcare Information and Management Systems Society. In our state, which is North Carolina, our state organization [North Carolina Healthcare Information and Communications Alliance] that deals with information technology and communications might have something. There are a lot of external agencies that have done that work of coming up with those risk questions, and that's a great please to start. If you're a busy practice manager in a small practice and you don't have time to create your own, absolutely get one that somebody else has to offer for you. ...
With the security questions, interestingly enough I've had several people say to me, "Margie, these risk assessment questions are exactly the same as they would be for any industry. It's such a standard set of things to which you have to pay attention to for security." An example is, "If you happen to have a server in your office which fewer people have these days, is it protected? Is it in a place where it's not likely to be damaged in any way?"
A great example of that was a client I had that used to open the back door in the summer to let the air in, and the server was sitting right there in an unprotected area. Somebody could just walk in the back door, take a hammer to the server and walk out, and nobody would ever know it. I can't emphasize enough the importance of getting those risk assessment questions and going through them.
Related to that is the importance of documentation. You mentioned that the government is really stepping up its compliance, its enforcement, and it's imposing significant penalties on people who are not compliant. I think that small practices, in particular ,have to take this seriously. You can't say, "I'm a small practice; nobody is looking. It's pretty unlikely that I will be the one that gets audited." You can't say that at all. I've been called several times by practices that have had some unexpected experiences, and I'll give you an example of one of them.
As you know, the meaningful use requirements for the financial incentive related to electronic health records has a requirement in it for HIPAA compliance. The people who called me said, "We applied for our financial incentive and we didn't get it because there were questions about whether or not we were really HIPAA compliant. When the auditors came to take a look, indeed we weren't HIPAA compliant and we jeopardized our whole financial incentive." Although meaningful use is not the reason to comply with HIPAA, it's related to HIPAA, and I think small practices really have to take this seriously.
MCGEE: Under HIPAA Omnibus, business associates will be directly liable for HIPAA compliance. What advice do you have for smaller providers in dealing with business associates moving forward? For instance, what sorts of changes are needed to the business associate agreements? How should they manage these relationships, and how should they figure out whether or not a vendor is a business associate?
SATINSKY: In respect to business associates, the definition hasn't changed much. It's a little clearer than it was at the very beginning, but the first step here is to make a list of all the vendors with which a practice deals and go through that list. The big issue here is whether or not a business associate on a regular basis uses protected electronic health information to go about their business on your behalf.
I'll give you some examples of people who would be a business associate and people who would not be a business associate. I'm often asked to sign a business associate agreement. I don't do anything with patient information ever. It never comes to me. I never look at it. Technically, I'm really not a business associate and I don't need to sign the agreement. I've been known to sign it anyhow just because I want to make somebody happy, but I'm not really a business associate. On the other hand, if I were a billing company and the practice was giving me on a regular basis information about services that had been rendered and demographic information about the patients so that I could bill and perhaps even collect on the practice's behalf, [then] yes, I'm a business associate.
The omnibus final rule goes one step further. It makes business associates liable [for HIPAA compliance]. It also says if the business associate has a subcontractor, that subcontractor is liable. For example, going back to my suggestion about the billing company, if the billing company outsources something, the subcontractor is also liable. The chain of command goes down a little deeper than it did at the very beginning. ...
Another requirement of the omnibus final rule that's different and important is that the covered entity should have a contract in place outlining exactly what the responsibilities of each one [the covered entity and the business associate] are. Right now, that doesn't always happen. It's always good business regardless of HIPAA, but it doesn't always happen. Sometimes there's a gentlemen's agreement, a handshake or whatever there is, and the terms of the contract are not put in writing.
Back to the question about the audits, one of the most important things about HIPAA compliance is documentation. If you have documented the fact that you've done a risk assessment, you've made some decisions about what you're going to do and you document, document, document as you go along, if somebody comes in for an audit and you have something that you've put down on a piece of paper and/or in your computer, you're in a position to be able to say, "Yes, I know about this. I've thought about this and these are the things that I have done." It's not only knowing who your business associates are, who the subcontractors are, but it's also putting all that down in a way that could be great evidence for you if somebody comes looking.
MCGEE: Are there any security technologies that smaller providers tend to overlook that could help them improve compliance with HIPAA?
SATINSKY: I think that the most important thing with respect to security and small practices is you don't have to do everything internally. ... I've been in hundreds of practices where somebody's husband, wife or children are the security people because they like to play around with computers. That's not good enough.
One of the issues that I see very frequently even when you do use an outside person is that the outside people don't do HIPAA all day long. They do many other things related to information technology support. You as an office manager or a practice manager need to be knowledgeable about what needs to be done.
I'll give you an example of it. Supposing I'm the practice manager and I'm concerned about the passwords - I'm concerned about who's looking at a computer screen and whether or not patients can see what's on that screen when they're standing at a reception area. My IT support person may not know exactly what to do unless I tell him. I may say, "Take a look at my waiting area. I don't want patients to be able to see the screen." Then he does something to the screen or he sets a timer on it so that it goes off after a certain period of time. It might now dawn on him or her right away what they need to do without my guidance. I think that using external security people is absolutely crucial. ...
The other challenge with security is the way the rule is written; it allows people a choice. It may say, "This is an area that you have to address, but you decide how you're going to address it." Here's an example of that. Security would say you have to have a building that's protected presumably by an alarm. It doesn't say what kind of an alarm you have to get, and it doesn't tell you how much money to spend on it. That's up to you. In terms of making these small, but very important, decisions, you may want [to turn to] somebody who's more knowledgeable than you are about the choices that you have. ...
Complying with HIPAA Omnibus
MCGEE: Do you have any final advice for small providers in terms of complying with the HIPAA Omnibus Rule, anything that people tend not to do or forget to do, or just don't realize they should be doing?
SATINSKY: The most important thing is to start right this minute, and not feel stupid or overwhelmed. You have to start some place and there are plenty of people out there who know how to do it. ... I would also encourage people to participate in professional groups, user groups or whatever. ... There's help out there. All you have to do is open your eyes, open the door and you can get the help that you need in order to comply by Sept. 23.