Covered Entities need Business Associates for HIPAA Compliance Regulations.
If you are a Covered Entity, you have a vested interest to ensure your Business Associates are HIPAA compliant. The Office for Civil Rights (OCR) has increased its scrutiny of Business Associates, as evidenced by several highly publicized HHS Resolution Agreements levied against this sector. When a Business Associate is found in violation of HIPAA law, the reputation and public trust of the related Covered Entity is negatively impacted, and the Covered Entity may also be fined. Covered Entities would do well to ensure they have employed a solid Business Associate Management Program.
What Exactly is a Business Associate?
A Business Associate is generally defined as an individual or organization, other than a workforce member, who creates, receives, maintains, or transmits Protected Health Information (PHI) on behalf of a Covered Entity. Covered Entities are required to execute written contracts with Business Associates to ensure that PHI is being appropriately used, disclosed, safeguarded, and that there is the proper response to breaches and the exercise of individuals’ rights.
Why Monitor Business Associates?
Covered Entities should conduct on-going due diligence of their Business Associates and must act upon any information or evidence that suggests non-compliance by either requiring the Business Associate to correct the issue, or by terminating the business relationship.
This means that, among other things, Business Associates must:
- Implement administrative, physical, and technical safeguards outlined in the HIPAA Security Rule;
- Train their workforce on HIPAA and privacy and security policies for their organization;
- Conduct regular security risk assessments;
- Adhere to the terms of their Business Associate Agreements with a Covered Entity; and
- Notify Covered Entity of any suspected breaches of PHI immediately or within the terms of the BAA.
Business Associates must also execute and enforce written contracts with their subcontractors and take reasonable steps to ensure those agents safeguard PHI and are HIPAA compliant.
Business Associate Compliance
The actions (or inactions) of Business Associates can pose serious financial and reputational risks to a Covered Entity, so these partnerships should be closely managed. Framework for a proactive Business Associate Compliance Program includes a complex series of policies, procedures, and contractual requirements governing permitted and required uses and disclosures of PHI, the use of appropriate safeguards, and assurances concerning an agent’s use and protection of PHI. It can be a challenging undertaking – consider hiring professional compliance experts to help you navigate the process.
Learn how BlueOrange Compliance can help turn HIPAA complexity into HIPAA compliance, request a free consult.