The Healthcare Hub

Best Practices for HIPAA OCR Business Associate Compliance

Tuesday, October 18, 2016

This past spring, many provider organizations received notice of a yet another regulatory compliance assessment as part of their HIPAA accountability checklist.

The Department of Health and Human Services, Office for Civil Rights (OCR) announced the start of the Phase 2 HIPAA Audit Program to ensure that “policies and procedures adopted by covered entities and their business associates meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”  Indianapolis-based Eskenazi Health, one of the largest safety net health systems, was one of those organizations. 

The challenge for all provider organizations is the continuous review of vendor relationships to determine which qualify as business associates, and then to request Business Associate Agreements that comply with HIPAA regulations. For many providers, this process is largely manual. For Eskenazi, solving that challenge included working with our team at GHX to help centralize business associate management via one electronic solution, giving the organization greater visibility and control over the hundreds of business associate relationships the organization manages.

Eskenazi’s health privacy director, Phyllis Garrison, and I were invited by Healthcare Business News to share some of the approaches that have helped Eskenazi successfully prepare for and be compliant with these new regulations. The published bylined article will help those of you grappling with this critical issue be more informed and prepared.

In the article, we counsel that “the key to surviving OCR reviews is that an organization must have control of its contractual relationships (including PO’s) in order to be HIPAA Compliant. The challenge is in how to do it.” I invite you to read the article and learn more on four best practices to compliance:

  1. Use a comprehensive vendor and contract management process.
  2. Use the OCR 2016 Audits Protocol to check your work.
  3. Obtain and review policies and procedures related to the identification of BA’s and the creation and establishment of BAA’s.
  4. Inquire whether there is any knowledge of a pattern or practice of the BA that constitutes a material breach of violation of the BA’s obligation.    

Learn more about GHX Credentialing.

Image Description

Jackie McGuinn

Strategic Marketing Senior Manager