Updating HIPAA Business Associate Agreements: 3 Steps

Under the HIPAA Omnibus Final Rule published last January, the deadline for compliance with the new HIPAA rules was essentially Sept. 23, 2013. However, there was an exception built in to the rule for physician practices and other covered entities (CEs). This exception stated that for CEs with vendor business associate agreements (BAAs) entered on or before Jan. 25, 2013, these BAAs must be brought into compliance with the Omnibus Rule by Sept. 23, 2014.

Failure to ensure your BAAs are HIPAA compliant can lead to penalties that can devastate a medical practice financially and ruin its reputation if protected health information (PHI) is stolen.

If you have missed the Sept. 23 deadline, by the letter of the law you are out of compliance. The chance of your being audited on that is slim, and there's probably no need to panic. With that said, do not drag your feet. Pull your program together as soon as possible. By all accounts, the Office for Civil Rights is going to be increasing enforcement audits come Jan. 1, 2015, and you should be prepared.

Here are three steps practices should take to comply with the requirements of this final Omnibus Rule deadline.

1. Identify your business associates. A helpful tip on how to identify your practice's business associates: Pull up accounts payable to access your list of vendors. With this list in front of you, identify vendors that have access to your PHI. These vendors may include IT companies, transcription companies, coding and billing companies, consultants, collection agencies, and shredding companies.

Note: Under the Omnibus Rule, the definition of business associated was reworded. A business associate now includes any vendor that creates, receives, maintains, or transmits PHI on behalf of a CE - even those that do not access PHI. Business associates can now include organizations involved in patient safety activities, health information organizations, and PHI data storage companies.

2. Review and collect BAAs. Once you have identified which vendors qualify as business associates, you should review the latest BAA they signed with your practice. If the most current BAA you have on file with a vendor is signed on or before Jan. 25, 2013, you should immediately amend or replace this BAA and have a vendor sign a new BAA that complies with Omnibus Rule requirements.

3. Audit business associates. If your practice delegates duties to a vendor, a practice has a responsibility to confirm - to the best of its ability - the business is handling those duties in conformity with HIPAA rules. This can be accomplished through an auditing process in which your practice asks business associate representatives a number of questions and then assesses the answers. These questions include the following:

• Do you have updated policies, procedures, and manuals that your organization follows to show compliance with HIPAA?

• Have you trained all of your employees on the privacy and security procedures covered by HIPAA and documented the training?

• Do you have a mechanism in place to train new employees and document the training?

• Have you recently (certainly within the last year) completed a security risk assessment and documented this assessment?

• Do you have mechanisms in place to ensure you remain compliant with HIPAA?

• Do you have mechanisms in place to ensure any subcontractors that will have access to PHI agree to the same restrictions, conditions and requirements that apply to the business associate with respect to such information?

Business associates held to high standards

With the passing of the Omnibus Rule, business associates can now be held directly liable for HIPAA breaches and violations. As a result, business associates are now required to establish and maintain a similarly comprehensive HIPAA program as CEs.

When your practice is auditing its business associates, this is the type of program you're looking for. If the audit reveals anything concerning regarding a business associate's ability to comply with HIPAA rules, request the business associate address the concern immediately or consider replacing this vendor.

While business associates can now be held directly liable for their improper use or disclosure of PHI, if a business associate is found to be negligent (or worse) in the handling of PHI, a CE can still be found liable. A well-drafted BAA can go a long way in protecting a CE from any improper actions by its vendors.

Wiks Moffatis principal and founder of MedSafe, a resource for outsourced accreditation and healthcare compliance solutions. E-mail him here.