Reduce BA risk through due diligence and documentation
MRO wrote an article for the October issue of Journal of AHIMA, exploring why it’s important for healthcare organizations to ensure the HIPAA-compliance of the entities they partner with to help carry out healthcare activities, and what they can do to guarantee that compliance. Entities that create, maintain or transmit Protected Health Information (PHI) on behalf of a provider organization are considered Business Associates (BAs) under HIPAA, and, as of 2013, can be held liable for violations of the HIPAA Security and Breach Notification Rules and certain provisions of the HIPAA Privacy Rule.
These BAs include PHI disclosure management partners like MRO, as well as providers of services less obviously tied to privacy and security compliance, like food services companies. Regardless of a BAs business, provider organizations need to conduct due diligence and execute Business Associate Agreements (BAAs), ensuring BAs have HIPAA-compliant policies and safeguards in place.
BAs have come under increased scrutiny from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in recent years. This attention stems in part from the large amount of electronic PHI (ePHI) that BAs hold, putting providers and their patients at risk.
Conduct due diligence
While it is very important to conduct due diligence of BAs before beginning a partnership, it should also be part of the provider’s ongoing risk analysis. Providers should create a questionnaire for BAs containing questions about how the BAs protect PHI. If red flags are identified, a more in-depth review or assessment should be conducted.
In addition to these due diligence questionnaires, provider organizations should obtain “satisfactory assurances” from BAs in writing. These “satisfactory assurances,” which state BAs will appropriately safeguard the PHI they receive or create on behalf of the provider organization, are required under the HIPAA Privacy Rule.
Additionally, to ensure protection for both the provider organization and the BA, both parties should encourage information and process transparency from the start, beginning with thorough due diligence, which will establish an open relationship and forge a trusting long-term partnership.
To learn more about managing BA risk, join us for AHIMA’s Virtual Privacy and Security Academy. The next session, hosted by MRO, will cover BA and subcontractor management, and will be held on December 14, 2016. Please enter your email address below to receive our special promo code for 15 percent off registration.
This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.