The Healthcare Hub

Building a Culture of Compliance

Tuesday, April 11, 2017

The second phase of OCR audits is not the permanent program but we have learned somethings so far 

Managing business associate (BA) relationships in this era of change takes an ongoing approach. In fact, building a culture of compliance is the only way to make iterative improvements. So, does your organization demonstrate a culture of compliance through daily actions? Do you know the areas where the Office for Civil Rights (OCR) is putting the most emphasis? Does your organization understand the current definition of a business associate in the eyes of the OCR? 

With phase two of OCR audits in progress, this is still just leading up to a permanent program but we can gain valuable insight from what has transpired so far to get a sense of the direction going forward. For instance, we see the OCR investigating smaller breaches and recent settlements have centered around lack of business associate agreements (BAAs) with increased focus on intercompany/subsidiary relationships, not just third-party relationships. Smaller breaches have led to the discovery of bigger issues and subsidiary relationships are just as accountable to privacy as third-parties.

In the Summit Series webinar hosted by GHX, Business Associate Management: Risks and Impacts to Providers, Joseph Dickinson Counsel at Tucker Ellis LLP and former Chief Privacy and Chief Information Security Officer at MetroHealth System speaks with Jackie McGuinn of GHX about building a culture of compliance and shares actionable strategies based on experience. For instance, a written policy is of little value without demonstrated (and documented) action backing it up and the best place to start is the top. Culture is built from the top down meaning that every level of the organization participates in the program, including leadership and the C-suite.

When it comes to identifying business associates, Joe relates from personal experience that objectivity is crucial. There are many relationships within a large hospital and many are long-standing, so while the nature of the service that a vendor provides may not change, systems and processes within your organization may change in a way that allows access to electronic personal health information (ePHI) incidentally for that vendor, therefore impacting its status as a business associate. This development may not be obvious to the individual or team that initiated the vendor relationship. Key to addressing ongoing review of vendors was a decision to move the checklist for BA status away from supply chain to a HIPAA compliance team.  Additionally more supportive of ongoing review for BA status — establishing a partnership with vendors for continuing compliance education, building into your program a process for a free flow of information and routine communication.

Further discussion covered in the webinar recording include risk analysis and developing a corrective action plan, outdated business associate agreements, identifying BAs at onboarding and collecting information in preparation for an OCR audit.

You can also hear more from Joe Dickinson at the 2017 Supply Chain Summit. Best Practices in Vendor and Business Associate Risk Management is the breakout session topic where Joe will participate in a panel discussion along with Dawn Lambert of IASIS and Ed Lewis of Texas Children’s Hospital. The panel will share operational and best practices on developing and executing a business associate framework to reduce risk and improve compliance.