What is a HIPAA TPA?
Third party administrators (TPAs) provide several services to smaller healthcare organizations such as payroll and human resources. TPAs that work with healthcare clients are considered business associates under the Health Insurance Portability and Accountability Act (HIPAA). As a HIPAA TPA, it is essential to comply with HIPAA standards to protect your business and clients.
HIPAA TPA Requirements
Before you can start accepting healthcare clients, you must be HIPAA compliant. HIPAA TPA requirements are the same as any other business associate’s (BA’s) obligations. As a HIPAA TPA you are likely to come across patients’ protected health information (PHI) as part of your job. As such, HIPAA requires you to have administrative, physical, and technical safeguards in place to secure the sensitive information.
As a HIPAA TPA you must have the following safeguards in place before you can work with healthcare clients:
- Administrative: relates to an organization’s policies and procedures surrounding the use and disclosure of PHI. HIPAA requires organizations to adhere to the “minimum necessary” standard when accessing PHI. This means that only the PHI necessary to perform a job function should be accessed. Employees are required to be trained annually on your organization’s policies and procedures.
- Physical: as an entity that has access to PHI, a HIPAA TPA must ensure that their physical site is secure. This can be accomplished through the installation of locks and alarm systems. In addition, any area within your physical space that contains PHI must be secured behind locked doors to prevent unauthorized access.
- Technical: relates to an organization’s cybersecurity measures. HIPAA requires the confidentiality, integrity, and access to PHI to be maintained. As such, it is essential to implement security measures including encryption, firewalls, and data backup.
Assessing Safeguards with Self-audits
To ensure that the implemented safeguards are sufficient, it is imperative to complete annual self-audits. HIPAA requires HIPAA TPAs to conduct the following five self-audits each year:
- Security Risk Assessment: determines if there are any gaps in an organization’s security and privacy practices so that they may be addressed with remediation plans.
- IT Risk Analysis Questionnaire: assesses the protections that are in place such as firewalls and encryption to ensure they are adequately protecting PHI.
- Asset and Device Audit: ensures that all devices that access PHI have the proper security measures in place. As part of this audit, an organization will make a list of all devices including who is accessing the device and what protections are in place to secure PHI.
- Physical Site Audit: this audit requires organizations to assess their physical location to ensure that all areas containing PHI are secure with locks or alarm systems. Physical records containing PHI should be stored in locked filing cabinets or rooms.
- HITECH Subtitle D Audit: ensures that an organization has procedures dictating breach notification protocols in line with HIPAA standards.
Business Associate Agreement
To protect yourself as well as your clients, it is essential to have a signed business associate agreement (BAA) before they share any PHI with you. A BAA limits your liability in the event of a breach as only the responsible party is held accountable. A BAA also indicates what protections should be in place and which party is responsible for reporting a breach should one occur.