Several of our Tennessee-based agents have received a revised Business Associate Agreement (BAA) from BlueCross BlueShield of Tennessee (BCBST). This new BAA includes more stringent requirements for agents to prove to BCBST they are compliant with HIPAA.
What is BCBST Looking For?
BCBST is requiring agents to sign an updated BAA within 30 days of receiving the letter. Before signing the agents must provide one of the following items to prove they are complying with HIPAA:
- A copy of a SOC 2 Audit completed within the last twelve (12) months; or
- Sign an attestation from the agency CEO or similar senior individual that the agency has implemented the physical, technical and administrative controls described in the HIPAA law (as defined under Part 160 of Title 45 of the Code of Federal Regulations).
The BCBST letter states, “If you don’t return the BAA and required documentation, it could jeopardize your business relationship with us.” BCBST means business. The letter indicates that all agents must meet these guidelines by July 1, 2018.
Option 1: SOC 2 Audit
A Service Organization Control 2 or SOC 2 report is an in-depth audit that is performed with the assistance of a CPA (and more appropriate for a company that conducts most of its business through credit card transactions). A SOC 2 will look at a company’s security, availability, processing Integrity, confidentiality, and privacy. The cost will range from $20K to $70K, depending on the audit firm, and it needs to be updated annually. A SOC 2 audit is cost-prohibitive for most agencies and is a more detailed examination than a small to midsize agency needs.
Option 2: Signed Attestation
Once an agency has completed the requirements outlined in the HIPAA law, the agency’s leaders can comfortably sign the attestation.
What if the agency signs the attestation without implementing the compliance requirements?
This is a huge risk for an agency! If there is a breach, not only could the agency lose their contract with the carrier (which would be financially devastating to most agencies), but the agency could be fined by the US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) and in some states, sued by its clients using HIPAA as a standard of care.
Why is BCBST taking such a hard position?
In a conversation on February 5, 2018, with BCBST Privacy Officer, Total HIPAA was informed new security guidelines have been issued by the BCBS Association. Over the last five years, there have been significant increases in the size and number of fines imposed by HHS OCR for security breaches. BCBS recognizes that their agents need to meet the HIPAA compliance requirements.
A second reason is a more aggressive position taken by four state Attorneys General and the courts. These states have opened the opportunity for plaintiffs to seek damages for breaches of their protected health information.1 This increases BCBST’s concern of potential financial impact on its business as other states potentially implement similar rulings.
What should my agency do?
Very few agents will choose a SOC 2 audit because of the cost. An agency will spend between $20,000 and $70,000 to complete the audit.
The most cost-effective approach is to implement a comprehensive HIPAA compliance program. The process requires you to complete a Risk Assessment (analysis), generate customized Privacy and Security Policies and Procedures and train your staff on your agency’s requirements. Going this route will cost you a fraction of completing a SOC 2 audit.
In the coming months, they expect to see more carriers and the BCBS from other states adopt similar stringent requirements for agents to prove they are HIPAA compliant. Is your agency prepared?
Want to learn more about HIPAA Prime™, and how Total HIPAA can help your agency sign the carrier attestation without breaking into a cold sweat? View our video about HIPAA Prime and contact us:
Contact Us
1Courts in Connecticut, North Carolina, Missouri, and West Virginia have ruled patients can sue their doctors directly using HIPAA as a standard of care. This means the patients aren’t actually suing for a HIPAA violation, but suing providers for medical malpractice, saying HIPAA Privacy and Security are reasonable expectations from your healthcare provider.