By Jack Anderson
December 17, 2013
We have a survey developed by our privacy and security expert Rebecca Herold that asks some very detailed questions about how business associates (BA) access, store, process, and most importantly secure PHI but I boil it down to a simple question; Have you updated your written policies and procedures since March of 2013 when the Omnibus Rule was finally delivered?We now have updated all of the policies, procedures, forms, and tasks in our systems to reflect those changes wrought by the Omnibus Rule but it took us several months. So even if you were trying to keep up, had written policies and procedures, a privacy and security officer, and a recent risk assessment, if you didn’t update all of these based on the new rules you are out of compliance.One of the significant additions are the Privacy Rule policies and procedures which have been added to the Security Rule set. While BAs are not required to meet all of the Privacy Rule they need to know which ones are applicable.
Another significant area is BA agreements. As a BA you have probably signed, filed and promptly forgotten many BA Agreements or BAAs. New rules are in place and your business partners are taking them seriously. I see many blogs and articles from healthcare law firms describing some of the draconiam clauses that are being added to BAAs, including indemnification and right to audit clauses. Not only are they putting these clauses into the BAAs they are recommending that the CEs monitor their BAs to make sure that they are complying. Trust but verify is bandied about quite liberally.
So, BA beware, it is a new world and you need to get compliant, stay compliant and be able to prove compliance. If you need help or advice give me a call at 866-984-3573 or email me at jack@compliancehelper.com