• Home
  • 2018
  • Business Associate Management For Compliance, Preparedness, and Efficiency
Thursday, February 01, 2018

Business Associate Management Delivers Three-fold Value: Compliance, Preparedness, and Efficiency

The importance of a well-executed vendor and business associate management plan cannot be overstated. It is certainly obvious from headlines over the last several years that organizations that don’t put the time in are risking financial ramifications as well as damage to reputation, which can be even more costly. The good news is that focusing your efforts on vendor and business associate(BA) management brings value to organizations in multiple ways. By putting into place processes that improve visibility into your vendor population and management of business associate relationships you improve compliance with the Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Rule, are better prepared for an Office for Civil Rights (OCR) audit, and internally gain greater operational efficiency from more streamlined processes.

With the OCR currently auditing covered entities (e.g. hospitals, health systems) and their business associates to determine if they are in compliance with HIPAA requirements, organizations need to have in place a signed and executed business associate agreement (BAA) for each vendor deemed a business associate. For those business associates that fail to sign BAAs, healthcare organizations must have a way to prove that they have attempted to secure agreements. All of this information needs to be stored electronically for quick retrieval in the case of an audit.

In reality for many healthcare organizations, BAAs are being managed in drawers and separate systems throughout its organization resulting in:

  • A decentralized process with various departments each playing a role in managing BAAs — purchasing, supply chain and contracts, legal, IT, security, HIPAA counsel, etc.
  • Lack of an organization-wide list of BAs
  • No central repository, enterprise-wide visibility or accessibility to BA relationships and BAAs
  • BAAs secured with a contract, as an attachment rather than a standalone document

Having documentation spread across your organization prevents you from properly preparing for an OCR audit.

The first hurdle to clear is determining which vendors are defined as “business associates” and second, put appropriate safeguards in place to prevent unauthorized use and disclosure of patients’ electronic protected health information (ePHI) under the 2013 HIPAA Final Omnibus Rule.

GHX goes about it in this way:

  • Identify the vendors that fall into the category of business associate using a survey to reveal vendors access or exposure to protected health information(PHI) 
  • Analyze the results of the survey with cross-functional representatives to determine vendors that fall into BA category
  • Enter vendors deemed business associates and their contact information into Compliance Document Manager
  • Using the information gathered from the survey, reach out to all BAs for a signature with a templated (pre-signed by the healthcare organization) BAA agreement 
  • Maintain a central repository of contact information, signed agreements and audit trail of attempts to retrieve signatures within Compliance Document Manager

While the initial work to identify current business associates and secure BAAs is extremely valuable, ongoing business associate management is critical for achieving compliance.

  • In order to keep the information up to date, develop new processes and systems for collecting /storing this information
  • Create a templated letter that is sent to each new vendor detailing the steps required to do business with your organization 
  • Require new vendors to answer questions about access and exposure to PHI before signing a contract to determine BA status
  • Collect the BAA and other pertinent documentation/correspondence to be stored electronically

An efficient business associate management process can have a tremendous impact on your organization. Knowing who your BAs are and which have signed BAAs, reduces the risk of issuing a Purchase Order to a business associate without a BAA on file.  More importantly, increased visibility and control over the BA management process reduces risk, improves compliance and makes you better prepared for an OCR audit.