Huh? Another HIPAA deadline?
By September 22, 2014 we must have a compliant business associate (BA) agreement in place because we are not sure when we last updated the one in use now. Here’s how we’re breaking it down. First, we are not responsible for our BA or their subcontractor’s HIPAA compliance.
But, we do have a responsibility for diligence. And we are responsible for engaging the services of HIPAA-compliant BAs and subs. We’ll be reviewing our information technology assets (hardware and software) to confirm that it is as HIPAA-compliant as possible and that it has been installed in a HIPAA-compliant fashion by HIPAA compliant vendors/BAs.
As a practice committed to being digital, here are some things we’re having our HIPAA legal counsel explain and our IT solution provider help us address. September will be here before we know it, so here’s a “starter” list of HIPAA compliance assurances that we’re asking our BAs to discuss and document with us (note: this is also a good checklist for your own practice to be in compliance):
- Do they enter into “compliant” Business Associate agreements with any subcontractor or third party to whom they share our PHI (personal health information) in order to fulfill their obligations to us as a covered entity?
- Do they have a named HIPAA Security Officer, Privacy Officer (with 24×7 contact info)?
- What is their process for writing, approving, distributing, evaluating, updating and archiving all appropriate PHI protection policies and procedures? Manually managing the 30+ HIPAA policies, procedures, plans and guidelines that may be produced is fast becoming impossible.
- What is their Incident Response/Management and Breach Notification Plan?
- Do they have a HIPAA-conformant Risk Analysis?
- Do they have a tested Business Continuity Plan, Disaster Recovery Plan, Emergency Management Plan, and Backup/Restore Plan?
- Regarding workforce training, who was trained, when, and what training did they receive? Not only terms and concepts but in several states, specific levels of training are required based on job roles and how risky their exposure to PHI makes things.
- How do they perform compliance gap assessment?
- Do they have a Remediation/Corrective Action Plan and regular status review dates?
- How are they addressing state-specific privacy and security for PHI?
One final scary perspective: It is we, the covered entity, who must notify individuals in the event of a breach, even if we didn’t cause it. This could get costly and there are things we’re doing as a Digital Practice to mitigate it, but that’s a topic for another time.
We’ve put up a BA Wrangler BA Assurance resources page here with links to information you may find helpful:
Disclaimer: This article is for educational purposes only. It does not constitute legal advice. Compliance law is constantly changing and this information may be incomplete or outdated as of the date of its release. Do not act or rely on any information in this report without seeking competent legal counsel, licensed to practice law in your jurisdiction.