As of February 17, all business associates (BAs) must comply with the HIPAA security rule and parts of the privacy rule or face stiff penalties.
It's time to do a last-minute check to make sure they are.
Know your BAs. Most importantly, double-check your list of BAs, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Make sure that anyone who could qualify as a BA has been accurately identified as a BA. For example, your organization may not realize that that a consultant that has access to personal health information (PHI) actually qualifies.
Make sure organizations you have identified as BAs actually are, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.
In the early days of HIPAA, many organizations decided to err on the side of caution and made pretty much everyone sign a BA contract, says Ruelas. But that decision may come back to haunt them with this new compliance date pending.
Gauge your BAs' readiness. The next item on your last-minute checklist is to make sure that your BAs know that they are expected to comply with these regulations. Some organizations, even this late in the game, might not even know that they are required to be HIPAA compliant, says Ruelas.
Don't just ask your BA if they are HIPAA compliant, ask them specific questions to gauge their readiness, such as how they will handle specific scenarios, says Borten. Some BAs also may not understand the full extent of what they are now required to do, says Ruelas. For example, they might know they have new breach notification requirements, but are unaware of their other responsibilities, says Ruelas.
Make sure your BA contract language is up to date. Once you've checked up on your BAs, make sure you have legal contracts that include all the language required by the privacy and security rules and HITECH Act.
Put expectations in writing. For example, make sure that the covered entity and BA agree on action parameters when a breach is discovered. Spell out in the contract how long the BA has to report a breach to your organization once it is discovered.
Requiring that rapid notification will ensure that you are being notified in a timely manner and also that you can work with the BA to determine the cause and fallout from the breach by the time you are required by federal law to report it, he says.
Brace for contract updates. Be prepared to update the contract next month when the government is expected to release new breach notification guidance. Many hope that this guidance will clear up some lingering questions related to how elements of the HITECH Act should be incorporated into BA agreements.
Hire an attorney who knows HIPAA. If you are hiring, look for an attorney who specializes in HIPAA to review your BA contracts. Borten says she's seen many a competent attorney include contract provisions that were not HIPAA compliant simply because the rule is complex and requires someone with specialized knowledge to interpret and apply it correctly.
Beware of subcontractors. Include language regarding subcontractors. Know to whom your BAs subcontract work and stay informed on these arrangements, says Borten. Consider requiring the organization to notify you if they are using a subcontractor, particularly one that is offshore. Some organizations go so far as to prohibit BAs from subcontracting work offshore, says Borten.
Don't view BAs as adversaries. "Covered entities and BAs have been partners for years; it is not something that has to cause a divide," says Ruelas. If your BAs need help becoming compliant, help them along. Your organization likely spent a lot of time getting up to speed on HIPAA. Save your BAs some of that work by sharing with them what you've already done.
"It really serves no purpose to say to them figure it out yourself," says Ruelas. Set aside a day and have them come in and talk to your designated privacy officer or security officer.
"You're helping each other out. It is a symbiotic relationship," says Ruelas.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.