6 Strategies for Managing PHI Data Risk With Business Associates

Is the Business Associate Agreement (BAA) enough to protect PHI data at risk? A Ponemon Institute study on the state of cybersecurity in healthcare organizations calls this into question. In a survey of 535 IT and IT security practitioners with private and public healthcare and government agencies, 45% agreed on the ineffectiveness of BAAs in ensuring the security of patient information.

It’s a startling finding that nearly half of those involved in healthcare data security see a problem with the BAA governing PHI data protection. These IT professionals are in the data security trenches around the clock. They’re the first to spot trouble or a vulnerability. What can be done to address this? Here are six strategies for adding security to PHI data that passes through the hands of business associates.

Learn:  HIPAA For Business Associates

Assess business associates with a data security questionnaire

You have signed BAAs with your business associates. Good. Now assess them with a data security questionnaire. One such option is the Standard Information Gathering (SIG) questionnaire from Shared Assessments. It serves as a holistic tool for risk management of cybersecurity, IT, privacy, data security, and business resiliency. Another security risk assessment option is the Office of Inspector General (OIG) Work Plan, which is produced by the U.S. Department of Health & Human Services and free to use.

Trim business associates that have access to PHI data

The HIPAA Privacy Rule states: “A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.” HIPAA’s minimum necessary guidance is a green light to trim the number of business associates with access to PHI data. Assessment results can help determine who to keep and who to cut, thus helping to lower the risk of PHI data exposure.

Add continuous monitoring to assessment process

Continuous monitoring is a proactive step in managing PHI data risk with business associates. Technology solutions like RiskRate can automatically screen and continuously monitor your third-party risks against risk intelligence databases, regulatory lists, media publications, politically exposed persons (PEPs) and adverse media profiles. Get the news first if a business associate score or grade slips and if an investigation and remediation are warranted.

Read: 4 Ways to Protect ePHI Beyond HIPAA Compliance

Simplify how you classify business associates

The HIPAA Privacy Rule mandates that business associates follow HIPAA security and privacy rules. But who’s a business associate and who isn’t? Chances are, you work with many. Should they sign a BAA? Should they be assessed? Try this. Divide business associates into two camps: one interacts with PHI. The other does not. The PHI camp has more risks that need to be managed.

Utilize a framework to manage risk and HIPAA compliance

Frameworks like ISO 27001 and NIST Cybersecurity Framework can help reduce costs while streamlining HIPAA compliance and the risk assessment process. For example, with assessments, questions map to controls in the framework, which also map to HIPAA. It’s then easier to see which business associates are compliant with HIPAA.

Read: Top 10 Regulatory Challenges in the Healthcare Environment

Rely on a technology platform to manage frameworks, HIPAA, PHI data risk, and more

You can manage your entire business associate program through effective integrated risk management. From one interface, you can assess hundreds or thousands of business associates. You can incorporate continuous monitoring, as well as manage a multitude of frameworks from within the one platform. If there’s a data breach, you have a defined incident response process that you can engage immediately.

Hackers love the high value of patient medical records and will seek out the weakest link to steal them. By implementing these six strategies, you can make sure you business associate isn’t that target.


Learn more about Integrated Risk Management

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

A New Age of Accountability: Global Whistleblowing on the Rise

3 Ways to Protect Your Supply Chain from Coronavirus Mayhem

How  to bolster your supply chain for future mayhem AND future recovery: 1.) Assess current suppliers for resiliency, 2.) Mitigate risk by diversifying the supply chain, and 3.) Add continuous monitoring to regular assessments.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Risk x3: Managing People, Business & Regulatory Risk

Risk has changed. The future lies in moving past a rigid structure and embracing a holistic view that broadens our perspective of risk while simplifying the approaches we take to managing it. This is how your organization can create a single, resilient architecture capable of managing people, regulatory and business risk.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!
Most Recent
EU Conflict Minerals Regulation: What You Need to Know
EU Conflict Minerals Regulation: What You Need to Know
A New Age of Accountability: Global Whistleblowing on the Rise
A New Age of Accountability: Global Whistleblowing on the Rise
ESG Reporting: Where to Start
ESG Reporting: Where to Start
Risk Management & IT Security in the Work from Home Era
Risk Management & IT Security in the Work From Home Era
The Post-COVID-19 Workplace: What Employers Should Expect
The Post-COVID-19 Workplace: What Employers Should Expect
Cyber Security Awareness Kit to Educate Workforce
Download Toolkit