HIPAA compliance for Business Associates (BAs) was the topic of MRO’s AHIMA Virtual Privacy and Security Academy session this month. I presented alongside my colleagues Sara Goldstein, Esq., general counsel and Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, HIM policy and education.

During this three-credit course, we discussed how BAs must now comply with the HIPAA Security Rule and certain provisions of both the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. We emphasized that BAs can be held liable for violating these rules, as well as for violations by their subcontractors.

We also covered several best practices BAs can follow to stay HIPAA-compliant and avoid liability, which you can learn more about in Sara Goldstein’s recent post.

Although it’s difficult to summarize all of the valuable insight shared during our session, the six major tips offered by our experts included:

1. Check your insurance policy
Verify insurance coverage in the event of a HIPAA violation.

2. Conduct regular internal and third-party audits
Regular internal and third-party technical audits are the foundation of implementing Security Rule administrative, physical and technical safeguards.

3. Consider applying for Health Information Trust Alliance (HITRUST) certification
HITRUST provides an information security framework to harmonize standards and regulations.

4. Implement the right technologies
Utilizing technologies like encryption, access tracking software and record integrity applications, powered by optical character recognition (OCR) software, can also drive BA HIPAA compliance.

5. Document compliance programs
Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

6. Invest in training and education
Workforce members should undergo formal training at least once a year on privacy, security and compliance, as well as on federal and state disclosure laws, and the healthcare organization’s policies and procedures.

After covering these topics, the Virtual Academy session concluded with a fun, educational and impactful group activity where participants were assigned disclosure management case studies that explored how to identify HIPAA violations and breaches. Rita Bowen and I then tested the participants on their knowledge.

MRO’s team will delve more into the topic of BAs in the next session of AHIMA’s Virtual Privacy and Security Academy: “Advanced Business Associate and Subcontractor Management” on November 9, 2016. If you are interested in attending the session, please fill out the form below and you’ll receive MRO’s promo code for a 15 percent discount.