PHI rules prompt scrutiny of business associates


Healthcare providers and other covered entities need to scrutinize their business associates to ensure protected health information (PHI) is kept safe. What is more, some may need expert advice to determine whether a business associate agreement is backed by the correct safeguards and controls.

That is the view of Fernando Martinez, corporate privacy and security officer for healthcare consulting firm Beacon Partners.

“We as an industry tend to judge risk by the piece of the iceberg we see above the waterline,” he said. “Above the waterline are things like having the policies and procedures in place, doing a risk assessment, having a compliance audit. That generally gives us a feel good sense about where we are with things in terms of due diligence and being prepared, but what we fail to recognise is what is lurking below the waterline.”

He said that if a healthcare organization does not take an active approach to risk management, it is just a matter of time before that organization becomes a victim.

“This is not something that you have to develop a defensive plan for but rather you must develop an offensive plan,” he said.

He argues that organizations need an active program for testing and validating that policies, procedures and controls are effective in protecting PHI, both within the organization and when that information is in the hands of business associates.

“Covered entities need to be more vigilant around business associates,” he said. “We’re really in unchartered water here because covered entities – large health systems in particular – have never had the time or resources to do that; they just trusted that their business associates are going to do what they need to do.”

He believes that the healthcare industry does not take the threat of regulatory or federal fines seriously enough.

“Even though you see this proliferation of breaches and the penalties that are going along with them there seems to be a lack of urgency or concern around it and that’s really perplexed many people in the industry,” he said.

“The HIPAA omnibus rule really speaks of a more rigorous approach to how the federal government will hold organizations accountable for their conduct so I think this is something that risk managers need to be concerned with.”

He believes that a proliferation of penalties may alert covered entities to the need to be more proactive in their approach to cyber risk.

“The future will tell us what happens but I think if we start seeing a lot of these penalties as far as business associates are concerned it’s going to take healthcare organizations to a different point where they’re going to have to figure out how to develop an internal program to have a higher level of confidence that the business associates are doing what they’re supposed to do,” he said.

PHI, business associates, health systems, healthcare