When You’re a Business Associate (BA), Risk Assessments Are Now Your Best Friend.

Why do you need to keep protected health information (PHI) safe? Law offices need to collect PHI to conduct due diligence. However, clients expect their information to be secure from hacking, improper disclosure, and information blocking. If PHI is exposed, your organization will have to contend with reputational damage, and the financial penalties can be pretty steep.

HHS defines a business associate (BA) as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to a covered entity.

One of the best ways for law offices to protect clients' PHI and avoid costly fines is to conduct regularly scheduled risk assessments. Although HHS requires risk assessments, they also help you lay the groundwork to keep your procedures and to train up to date.

Here are ten useful steps and actions to help protect your organization and your client's trust.

1. Set aside time to ensure that your procedures are up to date and that anyone involved with any aspect of PHI is familiar with the proper handling.

2. Ensure that you put together an appropriate assessment that doesn't contain any gaps.

3. Ask yourself the following questions: (If you answer no to even one of the below questions, securing the boundaries around your PHI requests, storage, and movement is imperative.)

4. Do you have a protocol for breaches?

5. Who is aware of your process?

6. Are team members trained regularly?

7. Do you have a written PHI security and transfer policy available for review?

8. Are your policies up to date to reflect changes related to PHI?

9. Review or develop your PHI process

10. Ensure that everyone involved with PHI in any way understands HIPAA

11. Involve your IT team to ensure that the proper security measures are implemented and up to date

12. Review the use of USBs and apps

13. Ensure your staff is utilizing strong passwords

14. Work with an organization that can support a secure request-for-records ecosystem.

15. Make mandatory Risk Assessments a yearly requirement.

Developing a solid risk assessment protocol and the program has many benefits. Not only will you ensure that your security standards continue to improve, but you will also protect a valuable resource, your reputation.

Think of risk assessments like a best friend that stands over your shoulder and tell you the truth, even when you don't want to hear it. Yes, they can be a little annoying initially, but you appreciate them in the end.