Is the Business Associate Agreement (BAA) enough to protect PHI data at risk? A Ponemon Institute study on the state of cybersecurity in healthcare organizations calls this into question. In a survey of 535 IT and IT security practitioners with private and public healthcare and government agencies, 45% agreed on the ineffectiveness of BAAs in ensuring the security of patient information.
It’s a startling finding that nearly half of those involved in healthcare data security see a problem with the BAA governing PHI data protection. These IT professionals are in the data security trenches around the clock. They’re the first to spot trouble or a vulnerability. What can be done to address this? Here are six strategies for adding security to PHI data that passes through the hands of business associates.
Assess business associates with a data security questionnaire
You have signed BAAs with your business associates. Good. Now assess them with a data security questionnaire. One such option is the Standard Information Gathering (SIG) questionnaire from Shared Assessments. It serves as a holistic tool for risk management of cybersecurity, IT, privacy, data security, and business resiliency. Another security risk assessment option is the Office of Inspector General (OIG) Work Plan, which is produced by the U.S. Department of Health & Human Services and free to use.
Trim business associates that have access to PHI data
The HIPAA Privacy Rule states: “A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.” HIPAA’s minimum necessary guidance is a green light to trim the number of business associates with access to PHI data. Assessment results can help determine who to keep and who to cut, thus helping to lower the risk of PHI data exposure.
Add continuous monitoring to assessment process
Continuous monitoring is a proactive step in managing PHI data risk with business associates. Technology solutions like RiskRate can automatically screen and continuously monitor your third-party risks against risk intelligence databases, regulatory lists, media publications, politically exposed persons (PEPs) and adverse media profiles. Get the news first if a business associate score or grade slips and if an investigation and remediation are warranted.
Simplify how you classify business associates
The HIPAA Privacy Rule mandates that business associates follow HIPAA security and privacy rules. But who’s a business associate and who isn’t? Chances are, you work with many. Should they sign a BAA? Should they be assessed? Try this. Divide business associates into two camps: one interacts with PHI. The other does not. The PHI camp has more risks that need to be managed.
Utilize a framework to manage risk and HIPAA compliance
Frameworks like ISO 27001 and NIST Cybersecurity Framework can help reduce costs while streamlining HIPAA compliance and the risk assessment process. For example, with assessments, questions map to controls in the framework, which also map to HIPAA. It’s then easier to see which business associates are compliant with HIPAA.
Rely on a technology platform to manage frameworks, HIPAA, PHI data risk, and more
You can manage your entire business associate program through effective integrated risk management. From one interface, you can assess hundreds or thousands of business associates. You can incorporate continuous monitoring, as well as manage a multitude of frameworks from within the one platform. If there’s a data breach, you have a defined incident response process that you can engage immediately.
Hackers love the high value of patient medical records and will seek out the weakest link to steal them. By implementing these six strategies, you can make sure you business associate isn’t that target.