CEs must ensure that their BA agreements emphasize the need for BAs to be up to date with the latest HITECH requirements pertaining to the HIPAA privacy and security rules and enforcement compliance/outcomes for noncompliance, says Parmigiani.
BAs need to make sure BA contracts are in place for all of their CE customers. HITECH made BAs equally responsible for entering in to a BA contract with CE customers. BAs should ensure the contracts include language that puts the CE on notice that the BA is required to inform the CE if the CE appears to be violating the HIPAA privacy and security rules. If the CEs don’t comply with the rules within a reasonable length of time, BAs are required to report CE violations that to OCR.
BA contracts should address the role of BAs in a privacy breach in more specific language. Address questions such as breach notification requirements and financial responsibility for responding to a breach, says Patrick. “All that needs to be spelled out,” she says.
HITECH addressed the need for BA compliance. The proposed rule would extend compliance requirements to BA subcontractors by expanding the definition of BA to include them.
CEs are required to include language in BA contracts that mandate downstream compliance with the HIPAA privacy and security rules by BAs’ subcontractors with access to the CE’s PHI, says Parmigiani. Be sure BA contracts require BAs to impose compliance requirements on subcontractors.
2. Focus on working relationships with BAs. Sometimes CEs sign contracts with their BAs and their interaction ends there. “You have agreements with people who have never even met each other,” says Patrick. CEs need to know they can count on their BAs if a security breach occurs, she says. That’s when you want to be able to pick up the phone to communicate with your BA and know you can rely on people there. There must be a good working relationship between the BA, the department head who works most closely with that BA, and the HIPAA privacy and security officer.