Health Information Management

TIP: Provide ongoing contract maintenance with your BA

HIM-HIPAA Insider, March 16, 2009

Your work isn’t done after signing a contract with a business associate (BA). You need to do more than simply assume that your BA is following through on terms of the contract.

Although the BA is performing important continuing functions, says John R. Christiansen, JD, managing director at Christiansen IT Law in Seattle, covered entities should provide regular (e.g., annual) audits for security compliance. Consider checking for some aspects of privacy compliance as well.

“The BA may want to conduct its own audits and provide the reports to clients in order to avoid audit duplication, which is fine, as long as the auditor is genuinely independent and competent and the report is complete,” says Christiansen.

William H. Roach Jr., MS, JD, partner at McDermott Will & Emery in Chicago, says periodic inquiry is sufficient unless you are suspicious that the BA is violating the agreement.

“In that case, the covered entity is required to take corrective action up to and including terminating the BA agreement if the BA does not take the necessary corrective action,” he says.

Editor’s note: This is an excerpt from the February 2009 edition of the HCPro, Inc. newsletter, Briefings on HIPAA. The HITECH Act has changed rules for BAs, but these tips on ensuring a strong contract still apply.

Most Popular