Looking for a Business Associate Agreement? Download our FREE template.

Total HIPAA Logo

BlueCross BlueShield of Tennessee Now Requires Agents Confirm They are HIPAA Compliant

Several of our Tennessee-based agents have received a revised Business Associate Agreement (BAA) from BlueCross BlueShield of Tennessee (BCBST). This new BAA includes more stringent requirements for agents to prove to BCBST they are compliant with HIPAA.

What is BCBST Looking For?

BCBST is requiring agents to sign an updated BAA within 30 days of receiving the letter. Before signing the agents must provide one of the following items to prove they are complying with HIPAA:

  1. A copy of a SOC 2 Audit completed within the last twelve (12) months; or
  2. Sign an attestation from the agency CEO or similar senior individual that the agency has implemented the physical, technical and administrative controls described in the HIPAA law (as defined under Part 160 of Title 45 of the Code of Federal Regulations).

The BCBST letter states, “If you don’t return the BAA and required documentation, it could jeopardize your business relationship with us.” BCBST means business. The letter indicates that all agents must meet these guidelines by July 1, 2018.

Option 1: SOC 2 Audit

A Service Organization Control 2 or SOC 2 report is an in-depth audit that is performed with the assistance of a CPA (and more appropriate for a company that conducts most of its business through credit card transactions). A SOC 2 will look at a company’s security, availability, processing Integrity, confidentiality, and privacy. The cost will range from $20K to $70K, depending on the audit firm, and it needs to be updated annually. A SOC 2 audit is cost-prohibitive for most agencies and is a more detailed examination than a small to midsize agency needs.

Option 2: Signed Attestation

Once an agency has completed the requirements outlined in the HIPAA law, the agency’s leaders can comfortably sign the attestation.

What if the agency signs the attestation without implementing the compliance requirements?

This is a huge risk for an agency! If there is a breach, not only could the agency lose their contract with the carrier (which would be financially devastating to most agencies), but the agency could be fined by the US Department of Health and Human Services’ Office for Civil Rights (HHS OCR) and in some states, sued by its clients using HIPAA as a standard of care.

Why is BCBST taking such a hard position?

In a conversation on February 5, 2018, with BCBST Privacy Officer, Total HIPAA was informed new security guidelines have been issued by the BCBS Association. Over the last five years, there have been significant increases in the size and number of fines imposed by HHS OCR for security breaches. BCBS recognizes that their agents need to meet the HIPAA compliance requirements.

A second reason is a more aggressive position taken by four state Attorneys General and the courts. These states have opened the opportunity for plaintiffs to seek damages for breaches of their protected health information.1 This increases BCBST’s concern of potential financial impact on its business as other states potentially implement similar rulings.

What should my agency do?

Very few agents will choose a SOC 2 audit because of the cost. An agency will spend between $20,000 and $70,000 to complete the audit.

The most cost-effective approach is to implement a comprehensive HIPAA compliance program. The process requires you to complete a Risk Assessment (analysis), generate customized Privacy and Security Policies and Procedures and train your staff on your agency’s requirements. Going this route will cost you a fraction of completing a SOC 2 audit.

In the coming months, they expect to see more carriers and the BCBS from other states adopt similar stringent requirements for agents to prove they are HIPAA compliant. Is your agency prepared?

Want to learn more about HIPAA Prime™, and how Total HIPAA can help your agency sign the carrier attestation without breaking into a cold sweat? View our video about HIPAA Prime and contact us:

Contact Us

1Courts in Connecticut, North Carolina, Missouri, and West Virginia have ruled patients can sue their doctors directly using HIPAA as a standard of care. This means the patients aren’t actually suing for a HIPAA violation, but suing providers for medical malpractice, saying HIPAA Privacy and Security are reasonable expectations from your healthcare provider.

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2024

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document

Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)