Road to HIPAA Compliance: Managing Business Associate Compliance

by KirkpatrickPrice / July 20th, 2016

Why Does Business Associate Compliance Matter?

The goal for this session is to identify the importance of the relations between covered entities and business associates, and to identify the issues that business associates and covered entities must navigate. This webinar is not designed just to benefit the covered entities. If you are a business associate, it will be beneficial to learn the issues that covered entities are dealing with and how that affects you.

Why is important to discuss business associate compliance? We see four areas of significance:

  1. Associated Liability: Business associate breaches have great impact, from a regulatory perspective, on a covered entity.
  2. Regulatory Activity: The OCR has begun Phase 2 HIPAA audits, but after Phase 2 is done, the OCR is planning on have a permanent audit program. Regulatory activity is ongoing.
  3. Market Forces: Covered entities are only going to continue to increase their oversight of business associates, which means the market for business associates is going to get more and more competitive. Business associates need to be able to handle covered entities’ concerns to stay in business.
  4. Scope: The nature of healthcare services in our current climate means that if you’re a covered entity, someone else is likely fulfilling a critical role for you. When your number of business associates is growing, there are more and more opportunities for risk and liability.

Who do covered entities need a Business Associate Agreement with?

The Privacy Rule requires that covered entities receive satisfactory assurance that the business associate will safeguard PHI on behalf of a covered entity. The challenge is knowing who your business associates are. Business associates are defined as “A person or an entity that creates, receives, maintains, or transmits PHI for a regulated healthcare function.” Seems pretty cut and dry, right? There are a couple of ways to think about who a covered entity needs to have a Business Associate Agreement with. Some covered entities have a “better safe than sorry” or “just in case” mindset. They have Business Associate Agreements with anyone who could ever potentially come in contact with PHI. The other end of the spectrum believes that because the requirements and challenges of safeguarding PHI are so great, covered entities should only commit to monitoring business associates that are actually business associate, and to only have Business Associate Agreements with those are legitimately business associates. This webinar also dives into the specific requires elements of Business Associate Agreements.

How does the oversight of business associates work?

There are some weird dynamics when it comes to the legal standards for business associates, and it takes a learning curve to overcome that dynamic and discover what are the actual obligations are. Then there are practical oversight considerations, like covered entities’ reliance on business associates, and their audit and inspection rights. Some of the other issues that arise in business associate oversight are: security measures, mobile devices, audit logs, and business associates’ sophistication.

This webinar is packed full of information and details. Download the whole thing, we promise you’ll learn something. This webinar is for covered entities and business associates. To learn more about HIPAA compliance, contact us today and speak to an expert.