The importance of a well-executed vendor and business associate management plan cannot be overstated. It is certainly obvious from headlines over the last several years that organizations that don’t put the time in are risking financial ramifications as well as damage to reputation, which can be even more costly. The good news is that focusing your efforts on vendor and business associate(BA) management brings value to organizations in multiple ways. By putting into place processes that improve visibility into your vendor population and management of business associate relationships you improve compliance with the Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Rule, are better prepared for an Office for Civil Rights (OCR) audit, and internally gain greater operational efficiency from more streamlined processes.
With the OCR currently auditing covered entities (e.g. hospitals, health systems) and their business associates to determine if they are in compliance with HIPAA requirements, organizations need to have in place a signed and executed business associate agreement (BAA) for each vendor deemed a business associate. For those business associates that fail to sign BAAs, healthcare organizations must have a way to prove that they have attempted to secure agreements. All of this information needs to be stored electronically for quick retrieval in the case of an audit.
In reality for many healthcare organizations, BAAs are being managed in drawers and separate systems throughout its organization resulting in:
Having documentation spread across your organization prevents you from properly preparing for an OCR audit.
The first hurdle to clear is determining which vendors are defined as “business associates” and second, put appropriate safeguards in place to prevent unauthorized use and disclosure of patients’ electronic protected health information (ePHI) under the 2013 HIPAA Final Omnibus Rule.
GHX goes about it in this way:
While the initial work to identify current business associates and secure BAAs is extremely valuable, ongoing business associate management is critical for achieving compliance.
An efficient business associate management process can have a tremendous impact on your organization. Knowing who your BAs are and which have signed BAAs, reduces the risk of issuing a Purchase Order to a business associate without a BAA on file. More importantly, increased visibility and control over the BA management process reduces risk, improves compliance and makes you better prepared for an OCR audit.