(4 min read) Got room in your budget to pay off a $750,000 settlement simply for not having an up-to-date Business Associate Agreement (BAA) in place with a vendor? Probably not! If any of your subcontractors create, receive, maintain, or transmit Protected Health Information (PHI) on your behalf, it is very likely that you need a BAA with that vendor. Not only might a BAA required by the HIPAA Rules but it can also protect your organization in the event of a major breach of PHI. Here are 10 tips to stay compliant and avoid costly fines and settlements:
- Make sure your BAAs are up-to-date. Any BAAs that are dated prior to September 23, 2013 are no longer valid due to the publication of the HIPAA Omnibus Rule. The Omnibus Rule made several modifications to HIPAA Rules that directly affected Business Associates. Those changes are not reflected in BAAs signed prior to the effective date of the Omnibus Rule.
- Make sure your list of Business Associates (BAs) is complete. Work with your Accounts Payable, Vendor Contracts or Purchasing departments to ensure that you have a complete list of vendors that create, receive, maintain, or transmit PHI on your behalf. It is the Office of Civil Rights’ (OCR’s) expectation that you will know which vendors are using, disclosing, storing, or transmitting PHI on your behalf. “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
- Make sure your current BAA template contains all required elements. Define your reporting timelines for breaches, Security Incidents, Privacy Incidents, accountings of disclosures, patient requests for records, making amendments, term and termination, just to name a few. Do you want ALL Security Incidents reported to you? Or just the successful ones? gov has a great BAA template available if you are seeking one.
- Limit your BAA template to HIPAA requirements. Any non-HIPAA related requirements should be covered in the sales agreement or contract for services with the vendor. The BAA should be a separate, stand-alone document.
- Keep a matrix of contact information for each BA. This will come in handy for audits and inquiries. Have the email address, physical address, direct phone number, and job title of at least one contact person from your vendor readily available. It is also helpful to have a description of the nature of the relationship with your vendor.
- Limit your liability. If your BA is responsible for a breach, a good BAA can limit your liability for fines, cost of notification, attorney’s fees, etc. Keep in mind, your BAs are businesses with limited resources as well, so try to stay within reason. It is your duty to seek out a BAA with your subcontractor.
- Check-in with your BAs. Once a year, or once every other year, send your BAs a questionnaire to make sure they are complying with all the elements of the BAA they signed with you. How are they safeguarding your PHI? Are they sending your PHI to their subcontractors and why? Who is the designated Privacy Officer? If you are outsourcing billing and you haven’t had a single report of a misdirected invoice or other privacy incident from your BA, request a copy of your BAs policy on Breach Response and PHI Uses and Disclosure.
- Check on your BAs. At least once a month, the Office of the Inspector General (OIG) updates the List of Excluded Individuals and Entities (LEIE). If any of your BAs are on this list, you could be submitting false claims! According to the OIG, “Those that are excluded can receive no payment from Federal healthcare programs for any items or services they furnish, order, or prescribe.” Best practice is to check your vendors against this list as often as the OIG updates it, which is once a month.
- Check your BAA timelines for reporting. For instance, Security and Privacy Incidents may be considered “discovered” on the first day they are known to your subcontractor, not necessarily when your subcontractor notifies you of an incident. The countdown begins for many HIPAA reporting timelines for such incidents on the date of discovery.
- Check your BAAs for clarity. The fallout from a major Privacy Breach is not the time to determine who will take what actions. In the case of such an event, who is to perform the risk assessment to determine if PHI has been compromised or not? What information do you specifically require your BA to report to you? Who will make the appropriate notices to authorities? What immediate action should your BA take? What actions should your BA not perform?
Since many of us do not have the luxury of a bottomless budget, avoid unnecessary fines by taking some simple steps to protect your organization. BAAs are an easy place to start bolstering your defenses against preventable and pricey penalties.