- Home
- » e-Newsletters
Make sure to review BA relationships periodically
HIPAA Training Advisor, September 21, 2006
It's been more than three years since the privacy rule's compliance date, and business associate (BA) compliance remains a top concern for organizations. That's due in large part to a widespread inability to constantly monitor BA practices and identify potential problems.
"Is there an obligation on the part of the covered entity [CE] to monitor BA compliance?" asks Rebecca L. Williams, RN, JD, partner at Davis Wright Tremaine, LLP, in Seattle. Many contracts have language built in that allows CEs to go in and look at practices, but CEs may not have the expertise or manpower to do so, she says. "They may also get pushback from the BAs because [the BAs] don't want to be subject to investigations whenever the CEs feel like it."
In many cases, that leaves CEs' actions outside of the BA agreement as the main compliance tool. Riverview Hospital Association in Wisconsin Rapids, WI, uses a detailed process for dealing with BAs, says ethics and compliance officer Paula J. Cook, MBA. First, the organization's various departments review a list of BAs and vendors annually and determine whether relationships have changed.
It's also important to identify the role of each BA and whether it has changed, says Williams. For example, a software vendor may not have had access to PHI previously, but now does. A lawyer may have originally helped develop general policies, but is now helping with a specific case that involves PHI.
Consider reviews for 'critical' BAs
Organizations need to keep track of BAs with a contract management system, says Williams. Know what contracts exist, the party and services involved, when the contracts end, and what notice for termination you must give, she says. Also review contracts annually, or whenever there is a change to the HIPAA regulations, says Williams.
Look at the language in the agreements to make sure that it meets HIPAA requirements and addresses specific organizational concerns. When it comes to monitoring compliance, your approach will likely depend on the BA, says Williams. For those that are critical to your existence (e.g., billing companies or information system vendors), take a more hands-on approach to monitoring compliance. For others (e.g., storage companies), watch for a pattern of bad practices before investigating, she says.
Also consider asking to look at the BA's privacy- and security-related policies and procedures, says Williams. "The BA won't likely want to-and shouldn't-give detailed information on every security mechanism; however, [it] should be willing to share [its] general approach to privacy and security."
Editor's note: Adapted from "Make sure to review BA relationships periodically," Briefings on HIPAA, September 2006.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Capturing all necessary codes for IUD insertion and removal can be challenging
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- HIPAA Q&A: Level of encryption needed for email
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- HIPAA Q&A: Level of encryption needed for email
- Searched