The latest enforcement action from the Office of Civil Rights (“OCR”) is the result of a business associate’s failure to safeguard PHI under the Security Rule, when the theft of an employee’s mobile device compromised the protected health information (PHI) of hundreds of nursing home residents. That employee’s cell phone was unencrypted and was not password protected at the time of the loss, leaving vulnerable PHI including, social security numbers and diagnostic and treatment information. The OCR pointed to a lack of proper security policies, as well as the absence of a risk analysis or risk management plan which are “cornerstones of the HIPAA security rule” according to OCR Director Jocelyn Samuels.  Although the business associate is being held accountable, the covered entity must deal with potential bad press and loss of confidence by its patients and communities served.

What are covered entities to do?

Many covered entities conduct a screening process prior to contracting to ensure the prospective business partner has a good name in the industry and has proven track record of delivering high-quality services.  Once this due diligence has been accomplished, it is a good idea to conduct periodic check-ups on the same as part of your facility’s annual risk assessment process.  When conducting your risk assessment, avoid asking “yes/no” questions as that merely checks a box on a form.  As you know, procedures established to prevent errors and mishaps may over time, succumb to employee short-cuts, adjustments to conform to new technology or circumstances, or non-enforcement by newer members of the management team.   Instead, consider asking open ended questions to learn the details on how their work and processes are accomplished:

For example:

  • What does your employee HIPAA training cover?
  • What is your policy on sanctioning work force members who violate HIPAA?
  • What are the safeguards that your company has put in place to protect PHI from unauthorized access or modification?
  • Describe your standard work flow procedures and how PHI is protected throughout.
  • Describe your incident detection, reporting, and management process.
  • Have you had a recent security risk assessment?  If yes, please provide a copy of the report.  If no, when do you plan on conducting it?
  • Do you subcontract work involving PHI?  If yes, please provide the subcontractor’s name and describe safeguards they have in place for protecting PHI.
  • What is your process for returning or destroying our PHI after our contract expires?

Ensure your business associate meets or exceeds your facility’s privacy practices and security safeguards for each of the questions you ask.  Accordingly, make sure you have an up-to-date business associate agreement with your vendors that clearly reflects your expectations for PHI safeguarding.  Also, when your facility implements a new Notice of Privacy Practices or other policy or procedure which may impact privacy practices or that will require a change/upgrade to security safeguards, communicate these to your business associate so that they may implement or revise their own policies and procedures accordingly.

Getting a HIPAA health check-up can pay off

Implementing a periodic process to solicit and record updated information from your business associate is good practice.  Newer information can be relied upon more readily than the information you collected years ago, especially when you receive notice of an incident involving PHI.  Also, you need not wait for an annual process: when incidents like the missing cell phone make news headlines, check with your business associate to see what processes they have, or will soon put in place to prevent the same incident from happening to them –and from impacting you.