Private Duty

8 steps to protect patient data sent to and from business associates

Agencies must comply with HIPAA when passing patient protected health information (PHI) back and forth. follow these eight tips to protect your patients and agency from breaches:

Assess how you and your business associates transmit PHI to each other as part of your regular HIPAA risk analysis. If you uncover any vulnerabili­ties, resolve them.

Ensure your agreements with business associates say that the business associate will implement safe­guards to protect the PHI it creates, receives, maintains or transmits for the covered entity. If the business associate uses a subcontractor to handle your PHI, the subcontractor must agree to the same transmittal requirements as the business associate.

Confirm that the business associate’s email address is correct before transmitting, warns attorney Elizabeth Litten with Fox Rothschild in Princeton, N.J.

Only transmit the minimum necessary amount of PHI for the business associate to perform its work on your behalf, as required by HIPAA. “The fact that you were selective will help show that you tried to restrict access,” explains attorney Michael Kline, also with Fox Rothschild.

Watch for glitches in encryption. For instance, when some encrypted email systems hit a recipient system that doesn’t accept the encryption, the email defaults to unencrypting, and then the PHI is no longer secure, Litten says. In that case, you’d need to turn that default off, she says.

Document how you transmit PHI. That way you’re in a better position to defend yourself should something go awry, Kline says. For instance, use tools such as “read receipt” email notifications.

Check whether your cyberinsurance covers breaches during transmission. At least that way you’ll know whether the insurance will protect you should an incident occur, Kline says. If it doesn’t, you may want to add it or change your insurance carrier to one that covers data in motion.

Review your business associate agreement to see how PHI needs to be handled when the relation­ship has ended. Your agency is allowed to require the business associate to send the PHI to a different associ­ate, but the data still needs to be sent in compliance with HIPAA, Litten says.

Marla Durben Hirsch (mdurbenhirsch@decisionhealth.com)