Chat with us, powered by LiveChat

Business Associate Management Strategies

Post Contributed by Alan Davis, Proteus Consulting

business associate

Business Associate (BA) management is an important facet of a Covered Entity (CE) HIPAA security program.  Yet many BAs are playing “catch up” to comply with the HIPAA Security Rule updates brought about by the HITECH Act.  CEs are now challenging themselves to properly manage their BA relationships as they begin to realize that both parties are directly liable to comply with the HIPAA Security Rule, Breach Notification Rule, and applicable portions of the Privacy Rule.

Accurately identifying BAs is the first step to an effective BA management strategy. CFR 45, §160.103, defines what constitutes a BA relationship and provides examples of when a BA relationship is not necessary. Companies subcontracted by a BA that create, receive, maintain, or transmit protected health information are also BAs, and must comply with the HIPAA Rules. The work being performed, and not the contract or agreement, defines whether a BA relationship exists.

The BA contract, also known as a Business Associate Agreement, is the proper means to articulate the permitted use of protected health information and ensure a BA’s compliance with the HIPAA Rules.  We recommend a “lifecycle” approach to ensure compliance during the contract process.  Pre-contract due diligence should include a security questionnaire to the BA and include proof that the BA has completed a current and proper security risk assessment (a BA requirement as of September 23, 2013 per the HIPAA Omnibus Rule).  Post-contract controls should articulate how contract compliance will be monitored and include event management procedures.  Lastly, the contract should include termination processes and procedures.

Although privacy and security are not a checklist, here are some thoughts to help manage BA relationships:

◦ Evaluate who is and who is not a Business Associate (include BA subcontractors);

◦ Keep track of individual contract dates and formally assign a person to manage the process.  Review each contract at least annually;

◦ Ensure that your contract stipulates in writing that subcontractors will agree to the same data use controls;

◦ All BA contracts need to be updated if not compliant with current HIPAA Rules;

◦ CEs are accountable to report all BA breaches to Health and Human Services (HHS) (including subcontractors to the BA);

◦ Technologies (encryption, firewalls, etc.) do not relieve BAs of compliance with the HIPAA Rules;

◦ BAs may be inspected during a CE Office of Civil Rights (OCR) audit;

◦ 2014 was a record year for HHS collections from non-compliant CEs and BAs.

Breaches are expensive, sometimes even enough to close a practice or supporting company.  BAs are responsible for ~25 percent of all incidents and have affected millions of patients; some CEs are uncomfortable becoming more intrusive and some BAs remain slow to engage the HIPAA Rules.  Both business’ reputations and revenue is based on patient trust, and all should agree that a formal, compliant BA contract is a responsible part of HIPAA compliance and electronic protected health information security.





– Alan is the Principal of Proteus Consulting, LLC, of Hayden, Idaho.