• E-mail
• Print
• RSS

Besides developing business associate agreements, how can we ensure that our business associates comply with HIPAA?

HIPAA Weekly Advisor, September 6, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Besides developing business associate agreements, how can we ensure that our business associates comply with HIPAA?

A: Even though authorities may not blame a covered entity with satisfactory assurances in a business associate agreement when a company releases information incorrectly, the organization still faces a big public relations and marketing nightmare. Patients expect you to protect their information and work with quality vendors that take HIPAA seriously.

You get the best results when your facility's privacy and security officers work closely with your business associates.

You're buying a service or product from a company, so you're in a position of power to make sure the things you need are in place. Regardless of whether business associates are providing a product-like software-or a service, such as translating data into a different format-ask them to show you what they're doing to comply. As soon as you begin talking with them, tell them your HIPAA expectations. Spell out exactly what you want them to do and ask the following questions:

1. Do you have a HIPAA compliance plan?
2. How long has it been in place?
3. Will you provide us with a copy of your HIPAA-related policies and procedures?
4. Do you have someone who leads HIPAA compliance efforts, such as a privacy or compliance officer?
5. What is his/her contact information?
6. What is his/her professional background?
7. To whom does this person report?
8. What kind of educational background, qualifications, and experience do the company's employees have?
9. Does the company conduct background checks on employees?
10. Do you educate employees on HIPAA-related policies and procedures?
11. If so, how?
12. How often have you or do you plan to conduct training?
13. Will you provide us with copies of the training materials?
14. How do you test employees' knowledge after training them?
15. What policies do you have in place to help your company meet evolving standards?
16. How do you respond to a subpoena or demand for information?
17. Do you allow prospective clients to come in for site visits?
18. If so, what is your process for preventing them from viewing other clients' information?
19. If you provide product demonstrations, are there policies and procedures in place to make sure you don't disclose facilities' information during the demonstrations?
20. What policies and procedures have you established for handling privacy breaches?

Editor's note: Answered by Jonathan Kweller, JD, LLM, vice president of compliance and regulatory services at QuadraMed Corporation, in Englewood, CO, and adapted from the September 2002 issue of Briefings on HIPAA.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive