Business associates: Have you really integrated them into your risk profile?

Marti Arvin (marti.arvin@cynergistek.com) is Vice President of Audit Strategy at CynergisTek in Austin, TX.

When the HIPAA Privacy Rule became enforceable in April of 2003, many organizations made efforts to assure a business associate agreement (BAA) was in place when a vendor was clearly going to handle protected health information (PHI). However, the level of effort was quite varied. Since that time, organizations have increased and improved on these efforts. With the changes under the HITECH Act[1] and the corresponding implementing regulations, organizations updated their agreements and made efforts to get newly signed BAAs with current vendors by the September 23, 2014 deadline.

In April of 2012, the Office for Civil Rights (OCR) entered the first Resolution Agreement and Corrective Action Plan (RA/CAP) that involved a finding regarding the lack of a BAA.[2] Still, many organizations did not give this significant attention until OCR began its Phase II audit process in the beginning of 2016. One of the initial steps of that process asked covered entities to provide a list of their business associates. This request had some covered entities scrambling to produce the list and questioning the completeness of their list. Later in 2016, OCR had its first RA/CAP that involved the failure to update a BAA in a timely manner.[3] The resolution amount was $400,000. Almost exactly six months later, another agreement was entered with OCR over the failure to obtain a BAA.[4] This time the amount was only $31,000.

All of this demonstrates the regulatory obligation to assure that when a covered entity engages a vendor to perform a service for or on its behalf and the vendor will create, receive, maintain, or transmit PHI in the performance of said activities, the covered entity will obtain satisfactory assurance that the business associate will appropriately safeguard the information.[5] These assurances are obtained through a BAA. However, obtaining a BAA that meets the regulatory provisions may not be sufficient to appropriately address risks.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field