Compliance Options for Healthcare Business Associates (and Why You Need Them)
Service providers—e.g., SaaS, IaaS, PaaS—are currently seeing significant growth in the healthcare vertical, where they’re classified as “business associates” to the healthcare providers, insurers, and clearinghouses that are collectively referred to as “covered entities.” (Note that subcontractors to business associates are also classified as business associates.)
Those classified as covered entities are required to stay compliant with applicable international, federal, state, and local laws and regulations—as part of that, they’re required to ensure that their business associates’ services/products meet the same or greater levels of security, making compliance necessary for any business associate to successfully break into the healthcare space.
As long-time assessors of all kinds of service providers against many different standards—including those relevant to healthcare—we’re here to help. If you’re looking to expand your business into the healthcare space, in this article, we’re going to detail why compliance is so important in this sector and how you can determine what kind you need—and your options for obtaining it—so that you can best position yourself to gain some market share.
The Importance of Compliance in Healthcare
According to Global Market Insights, the healthcare IT market is expected to grow at a compound annual growth rate (CAGR) of 13.5%, going from around $300 billion to over $1.1 trillion by 2032 (with $367.7 billion in North America). Parallel to this growth is the healthcare industry’s ongoing digital transformation that’s being driven by patient demands, such as their desire for electronic health records.
But digitization of data—especially personally identifiable information—requires the security and privacy of that data, which is why compliance with enacted laws and regulations has become such a priority among healthcare organizations—covered entities—that want to retain patient trust and business. These enacted laws include:
- HIPAA;
- EU General Data Protection Regulation (GDPR);
- State of Massachusetts Data Protection Act; and
- The Texas Medical Records Privacy Act.
However, those regulations also require covered entities to ensure that the services/products they use as provided by their business associates meet the same standard of security and privacy as is expected of the covered entity.
What Level of Compliance Do You Need to Get Into the Healthcare IT Space?
Those evolving legal and regulatory requirements, plus the increased frequency and complexity of digital attacks in the healthcare space in recent years, have heightened security scrutiny to the point that business associates have begun to realize they’re expected to demonstrate a much more robust security and compliance posture before being trusted.
But how does a business associate determine that necessary “compliance maturity level”? Perhaps (almost) more importantly, how can you address the increased security and compliance expectations without breaking the bank on compliance certifications and assessment reports?
One way to determine that answer is to ask your marketing/sales teams what types of compliance requirements they see in RFPs during sales contracting discussions. But then again, identifying security and compliance requirements during the RFP or sales bid process is not ideal, as compliance certifications are not achieved overnight.
So how can you find out what you need faster so you can more proactively address this compliance challenge?
Questions to Ask to Determine Your Level of Risk
Identifying the level of risk a business associate would likely represent to a covered entity is a good place to start, and asking the following questions can begin to help you categorize yourself into a low, medium, or high-risk category:
- Does your service/product provide you with access to protected health information (PHI) / electronic protected health information (ePHI)?
- Yes – medium/high risk
- No – low/medium risk
- If the answer to #1 is no, does your service/product transmit, process, or store PHI/ePHI (even if encrypted)?
- Yes – medium risk
- No – low risk
- Would the covered entity be able to continue its daily operations if your service/product was unavailable (e.g., a data center outage)?
- Yes – medium/high risk
- No – low/medium risk
Keep in mind that, while this is a good start, the covered entities you work with will each have their own means of determining which risk bucket you fall into and that will drive their expected level of compliance from a business partner for any given solution.
Categories of Healthcare Business Associates
Still, the answers to those questions can at least give you some semblance of which compliance direction would be most beneficial to take.
Low-Risk Business Associates
Yes, even if you’re a potential business associate who falls into the low-risk category, you’ll still be expected to demonstrate your compliance with security and privacy requirements at a basic level. To do so, business associates in this category within the healthcare space often perform at least one of the following:
Medium-Risk Business Associates
Business associates that fall into the medium-risk category will be expected to demonstrate more than just that basic level of cybersecurity—covered entities will want to see an established compliance program built on at least one foundational standard/framework and uses that to validate compliance with applicable laws and regulations.
Business associates in this category typically perform at least two of the following to demonstrate this level of compliance in the healthcare space:
6. Privacy Assessments (e.g., GDPR, APEC Certification, Microsoft SSPA/DPR Assessment) |
High-Risk Business Associates
Business associates that fall into the high-risk category are expected to have not just an established compliance program in place, but a mature one. These programs are often led by full-time compliance personnel that:
- Incorporate appropriate standards/frameworks;
- Perform internal assessments; and
- Review metrics to validate that the security and privacy controls are designed and operating effectively.
Business associates in this category typically undergo a HITRUST i1 or r2 Validated Assessment, as adherence to the HITRUST certification standard provides a high benchmark of one’s compliance program, especially in the healthcare space.
Moreover, business associates in this category typically perform at least three of the following to demonstrate this level of compliance in the healthcare space (with one of those being the aforementioned HITRUST i1 or r2 Certification):
6. Privacy Assessments (e.g., GDPR, APEC Certification, Microsoft SSPA/DPR Assessment) |
Learn More About Compliance
Compliance is becoming a powerful market differentiator in every business sector, but in the growing healthcare IT market, its importance is particular. For any organization seeking to do work with covered entities in this space, you’ll need to be able to prove a certain level of compliance going in if you want their business.
Now that you understand how to determine what you need, along with your options to achieve that, you’ll likely need to prepare for these endeavors (including choosing a trusted assessor). Check out our other articles that can help you with these next steps:
About RYAN MEEHAN
Ryan is a Senior Manager at Schellman. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.