Eight Tips to Get Your Business Associates to Comply with HIPAA

3. Run a gap analysis on covered entity contracts.

HITECH is new, and existing contracts will probably leave gaps. "We haven't been in this world before," Christiansen says. "Find your gaps and what you will do about them."

You may want to wait for further regulations before you finalize your contracts. However, start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law.

4. Don't rewrite the entire contract.

"The changes to the BA contracts should be minimal," says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. Apgar suggests including a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule.

5. Add breach notification language to BA contracts.

The language should require the BA to notify the covered entity within five days of a breach, Apgar says. This aligns with the new California breach notification requirement regarding the notification to the state that a breach has occurred and addresses the issue of when the 60-day notification clock starts.

"Also, I would recommend adding language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals," Apgar says.

6. Add language about the Red Flags Rule.

Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs, Apgar says. The Red Flags Rule requires covered entities considered to be creditors by FTC standards to adopt an identity theft prevention program by August 1.

7. Build your breach notification processes.

This is perhaps the biggest change for BAs. Christiansen says BAs must put a policy in writing per the HITECH Act. "You need to be able to coordinate this by fall [of 2009] at the latest," he says. "This is going to be a big issue for a lot of BAs."

8. Train, train, train.

Herold says she's seen horrible training in the BA community. "Make sure your policies document the need for regular training, along with ongoing awareness communications," she says. "Then use effective training content. Just throwing words in front of your personnel is not training."

Get your hands on HIPAA resources, such as training books, e-learning courses, and webinars. Check with your covered entities to see what they have done.

Editor's note: These tips were taken from the HCPro, Inc. white paper, Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules. Download a free copy of the full white paper.
Sign up for HCPro, Inc.'s July 29 audio conference, Business Associates and Covered Entities: Adapt Contracts to Comply With New HIPAA Law.