6 Strategies for Managing PHI Data Risk With Business Associates

Is the Business Associate Agreement (BAA) enough to protect PHI data at risk? A Ponemon Institute study on the state of cybersecurity in healthcare organizations calls this into question. In a survey of 535 IT and IT security practitioners with private and public healthcare and government agencies, 45% agreed on the ineffectiveness of BAAs in ensuring the security of patient information.

It’s a startling finding that nearly half of those involved in healthcare data security see a problem with the BAA governing PHI data protection. These IT professionals are in the data security trenches around the clock. They’re the first to spot trouble or a vulnerability. What can be done to address this? Here are six strategies for adding security to PHI data that passes through the hands of business associates.

Learn:  HIPAA For Business Associates

Assess business associates with a data security questionnaire

You have signed BAAs with your business associates. Good. Now assess them with a data security questionnaire. One such option is the Standard Information Gathering (SIG) questionnaire from Shared Assessments. It serves as a holistic tool for risk management of cybersecurity, IT, privacy, data security, and business resiliency. Another security risk assessment option is the Office of Inspector General (OIG) Work Plan, which is produced by the U.S. Department of Health & Human Services and free to use.

Trim business associates that have access to PHI data

The HIPAA Privacy Rule states: “A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.” HIPAA’s minimum necessary guidance is a green light to trim the number of business associates with access to PHI data. Assessment results can help determine who to keep and who to cut, thus helping to lower the risk of PHI data exposure.

Add continuous monitoring to assessment process

Continuous monitoring is a proactive step in managing PHI data risk with business associates. Technology solutions like RiskRate can automatically screen and continuously monitor your third-party risks against risk intelligence databases, regulatory lists, media publications, politically exposed persons (PEPs) and adverse media profiles. Get the news first if a business associate score or grade slips and if an investigation and remediation are warranted.

Read: 4 Ways to Protect ePHI Beyond HIPAA Compliance

Simplify how you classify business associates

The HIPAA Privacy Rule mandates that business associates follow HIPAA security and privacy rules. But who’s a business associate and who isn’t? Chances are, you work with many. Should they sign a BAA? Should they be assessed? Try this. Divide business associates into two camps: one interacts with PHI. The other does not. The PHI camp has more risks that need to be managed.

Utilize a framework to manage risk and HIPAA compliance

Frameworks like ISO 27001 and NIST Cybersecurity Framework can help reduce costs while streamlining HIPAA compliance and the risk assessment process. For example, with assessments, questions map to controls in the framework, which also map to HIPAA. It’s then easier to see which business associates are compliant with HIPAA.

Read: Top 10 Regulatory Challenges in the Healthcare Environment

Rely on a technology platform to manage frameworks, HIPAA, PHI data risk, and more

You can manage your entire business associate program through effective integrated risk management. From one interface, you can assess hundreds or thousands of business associates. You can incorporate continuous monitoring, as well as manage a multitude of frameworks from within the one platform. If there’s a data breach, you have a defined incident response process that you can engage immediately.

Hackers love the high value of patient medical records and will seek out the weakest link to steal them. By implementing these six strategies, you can make sure you business associate isn’t that target.


Learn more about Integrated Risk Management

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Compliance Considerations in a Post-Roe World

Instilling Trust in Times of Uncertainty

In times of uncertainty, we all look towards people and organizations we trust to help guide our actions and decision making. Now more than ever, it’s important for business leaders to earn the trust our employees place in us, in a way that will outlive this COVID-19 pandemic and the turmoil it’s caused.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Risk x3: Managing People, Business & Regulatory Risk

Risk has changed. The future lies in moving past a rigid structure and embracing a holistic view that broadens our perspective of risk while simplifying the approaches we take to managing it. This is how your organization can create a single, resilient architecture capable of managing people, regulatory and business risk.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.