Business Associates (BAs) can be held liable for violations of certain provisions of the HIPAA Security, Privacy and Breach Notification Rules. Therefore, it is essential for BAs to ensure they have the appropriate measures in place, and are properly safeguarding the Protected Health Information (PHI) of Covered Entities (CEs).

As the trusted PHI disclosure management partner and BA of many of the nation’s leading healthcare provider organizations, MRO takes special measures to ensure compliance, and suggests fellow BAs add these tips to their checklists when reviewing their HIPAA compliance programs:

1. Review and update policies and procedures
One great way to verify that a BA has the required and up-to-date policies and procedures is to compare them to the HIPAA Administrative Simplification Rule’s table of contents, making sure the policies and procedures can be “cross-walked” to the applicable provisions of the HIPAA Rules.

2. Conduct a risk analysis on a regular basis
Conducting a thorough risk analysis provides the foundation for implementing many Security Rule safeguards. Additionally, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has cited organizations for failing to conduct proper and complete risk analyses in almost all its HIPAA violation resolution agreements. To help with this crucial process, HHS has published guidance that should be reviewed.

3. Confirm Business Associate Agreements
BAs can be held liable for certain violations of the HIPAA Regulations by their subcontractors—entities to whom the BA delegates a function, activity or service—if they do not have Business Associate Agreements (BAAs) in place. Therefore, it is critical that BAs have up-to-date BAAs with all subcontractors. For more information, HHS has published guidance on BAAs, containing a sample agreement.

4. Train your workforce
Workforce members should undergo formal training at least once a year to ensure they understand PHI use and disclosure requirements under federal and state law, and what policies and procedures the healthcare organization has implemented to ensure compliance.

5. Confirm insurance status
In the past year, organizations across the country have paid more than $16 million as part of resolution agreements and civil money penalties to the OCR for HIPAA violations. Given the cost of HIPAA violations, it is important that BAs confirm they have insurance coverage in the event of a HIPAA violation. This is especially important because many CEs require that their BAs indemnify them in the event of such an incident.

MRO will present on this topic on August 17, 2016 in AHIMA’s Virtual Privacy and Security Academy session “HIPAA Compliance for Business Associates,” worth three credits. Please enter your email address below to receive our special promo codes for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.