Business Associates (BAs) are an integral part of a healthcare organization because they perform tasks either more efficiently or with better quality than internal resources allow.
The Office of Civil Rights (OCR) expects that the Covered Entity provide on-going oversight for what the BA is doing with the PHI entrusted to them. In 2018, OCR noted that 20% of all breaches over 500 instances were associated with the inadequate management of BAs.
Additionally, a recent OCR investigation for an IT incident found that the Covered Entity failed to have Business Associate Agreements (BAAs) in place with vendors. OCR required the Covered Entity to integrate BA management as part of the corrective action plan, even when the lack of management (due diligence) was not specifically related to the breach.
Some best practices to consider:
- Ensure that the Privacy Officer or their designee reviews all new vendors to determine if a Business Associate Agreement or other type of agreement is necessary;
- Review all current third-party vendors to validate that the necessary agreements are in place;
- Track and monitor all Business Associates. This can be through software such as a contract management system or in an Excel spreadsheet;
- Conduct on-going due diligence on Business Associates to verify that they are upholding the standards agreed upon in the Business Associate Agreement;
- Coordinate with IT and other departments that engage with BAs as necessary.
Robust governance of Business Associates protects your organization from risk of breaches that originate from a BA, but also potentially diminishes further enforcement action in the event of a regulatory investigation.
To learn how BlueOrange Compliance can provide tools and assistance to aid in the development your BA management program through our Privacy Full Support program.