Health care organizations themselves are becoming more and more aware of their BA risks. They are raising expectations of their associates to perform and provide pertinent documentation necessary to prove that they are not only compliant with HIPAA, but that they have an effective risk management system in place as well. Before HHS made its addendums to federal HIPAA regulation, BAs were given somewhat of a free reign with their compliance. However, since September of 2013, BAs must now meet the same standards as the hospitals, clinics, and doctors that they service or represent.
As far as the kind of proof necessary to meet compliance, it could entail BAs completing a questionnaire, but it could also involve more than that, like recent risk assessment reports, policies and procedures concurrence, and staff training documentation. Business Associate Compliance Agreements (BAAs) must be signed by BAs to protect a Covered Entity (CE) from liability in the event that a BA is found out of compliance with HIPAA.
The definition of a BA has changed since HIPAA was established in a number of ways. It now includes not only BAs but a BA’s subcontractors as well. Any subcontractor that handles PHI on behalf of a BA is beholden to the same HIPAA regulation as the BA itself. The BA is liable for the acts of their subcontractors, and the BA and their subcontractors are required to have agreements and assurances between one another concerning their relationships and expectations. The BA must distinguish between giving direction to their counterpart subcontractors, who are unfamiliar with HIPAA guidelines, while putting forth the kind of authority that makes for workable relationships.
These kinds of requirements bring about new sources of liability to the BA. They not only have to comply with the law, but they must improve and adjust their position within the HIPAA parameters given to them. In order to operate under the provisions of HIPAA, BAs have to carefully separate or distance themselves from agency relationships with their subcontractors, and be able to efficiently utilize indemnification provisions in their BAAs. The BA works toward finding the right strategies to limit its exposure to new sources of liability or potential breaches, while effectively managing other risks to their HIPAA compliance.
BAs are required to comply with HIPAA regulation, and their model of operations has changed significantly with increased responsibility for subcontractors as well as the pressure of increased liability. The BA’s expanded model of operations and adaptations to HIPAA regulation can be difficult tasks, with the accountability PHI posing just as much of a challenge.
0 comments:
Post a Comment