Colleagues in office building

MRO recently sponsored and hosted an AHIMA Virtual Privacy and Security Academy session covering Business Associate (BA) and subcontractor management. BAs perform a wide array of services for healthcare organizations, and in today’s ever-changing regulatory environment, it’s important to ensure they are HIPAA-compliant.

Here are four tips for BA compliance covered in the Virtual Academy session.

1) Inform BAs of expectations

BAs and subcontractors should have knowledge of HIPAA. Healthcare organizations need to properly articulate permitted uses of Protected Health Information (PHI) to their BAs. It is also important to communicate how compliance will be monitored.

2) Hold BAs accountable

When drafting contracts and Business Associate Agreements (BAAs), it’s important to establish accountability. Ensure BAs are held responsible for their use of PHI.

3) Perform ongoing due diligence

Create a risk matrix specific to BAs’ use of PHI. This matrix can and should be used to prioritize risks, characterizing them as high, medium or low. It is also a best practice to receive notification when users associated with terminated BAs access PHI.

4) Perform risk assessments

Healthcare organizations should perform regular privacy and security risk assessments. These assessments should check the nature and extent of PHI involved, including identifiers and likelihood of re-identification. These assessments should also note the unauthorized person to whom PHI was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

The Virtual Academy session concluded with an activity discussing BAAs, in which participants were given a scenario and asked to identify items for inclusion in hypothetical BAAs, putting what they learned into action.

Discover more tips for managing BAs by downloading the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation.”