Residential services providers should be aware that they must hold business associates to high standards for protecting the private health information of clients. What this means is that you must make sure contractors and vendors are protecting private health information that may be accessible to them in the course of doing business with you.
In a recent memo, the U.S. Office for Civil Rights (OCR) raised this question: Is your Business Associate prepared for a security incident?
Put another way: Do your business associates even know what to do to safeguard information about your clients? Business associates include a wide range of outside contractors, from billing companies to housekeeping providers who may see, hear or access private health information.
As a residential provider or facility operator, you’re required to have Business Associate Agreements in place. But apart from privacy rules, these agreements are to your advantage. You certainly don’t want is to be held responsible for poor practices, or even poor judgment, on the part of business associates. Importantly, beyond the mere signing of an agreement, it is critical to inform business associates of what they need to do to protect private information, so they are mindful of the practical day-to-day considerations that go along with securing information.
In its memo, OCR refers to a widespread perception that it is difficult for healthcare providers to know whether their business associates are adequately protecting patient information.
First, let’s make sure you know who your business associates are. In sum, a business associate is any outside person or company with whom you share protected health or personally identifiable information about the people you serve.
They – through you – are obligated to meet all federal privacy and security laws to protect that information. This includes billing companies, technology vendors, temporary staffing companies and anyone else with potential assess to patient information. With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.
OCR also says you should plan in advance for how you will confront a breach by a business associate, including subcontractors.