BA Trackertm
Keep Track of Your BAs’ Compliance, Free!
CEs are now accountable for more active validation of BA security and privacy program compliance, beyond just having a BA contract in place. It is more important than ever for CEs to take proactive measures to ensure BAs establish and maintain effective and appropriate information security and privacy policies and other supporting actions.Business associatesecurity and privacyprograms: HIPAA and HITECH By Rebecca Herold, CIPP, CISSP, CISA, CISM, FLMI, Compliance Today Magazine, February, 2010.
This warning was sounded more than 18 months ago but was quickly forgotten when HHS announced a “delay in enforcement” until issuance of “The Final Rule”. The warning has not prevented hundreds of data breaches of over 500 patient records and tens of thousands of smaller breaches compromising millions of patient records and causing serious damage to the covered entities involved. Tragically, a high percentage of these breaches have been caused by business associates and sub-contractors.
“One of your biggest vulnerabilities is your business associates.“ Adam Greene, a partner at the Washington law firm Davis, Wright, Tremaine LLP, and a former official at the HHS Office for Civil Rights. Healthcare Information Security, September 2011
To attempt to manage this risk the CE could send questionnaires, do phone interviews, request copies of policies and procedures, request new risk assessments and security audits, or even do an on-site visit. Since most CEs have hundreds of BAs, and some have thousands, this could be an expensive proposition in both time and money.
Working with Rebecca Herold, Compliance Helper (CH) has developed BA Trackertm to do the job for the CE, for free. We charge the BA a small fee for measuring and displaying their compliance on an ongoing basis and reporting that to the CE.
The CE delivers a list of their BAs to CH and informs them that they must supply proof of compliance on an ongoing basis. BA Tracker™ is described by the CE as an acceptable proof of compliance along with any other acceptable methods. CH contacts the BAs and offers their services.
Each month the BA receives an attestation form requiring them to verify their profile information, attest that they are doing ongoing training, maintenance of their policies and procedures and requires them to answer a HIPAA HITECH quiz. They will be given a score that will be reflected through their Compliance Metertm and through a dashboard report on the CE website. Should the BA need additional help they may sign up for the CO-OP or Prepare/Care services which will enable them to set up a comprehensive privacy and information security program and maintain their compliance.
The CE gets a private and secure website with profiles of their BAs enrolled in BA Tracker™, along with the BAs’ current and past scores reflected through meters and dashboards. With the BA’s permission the CE may drill down, remotely, to view all compliance activities of the BA.
The cost to the BA is less than a hundred dollars a month for BA Tracker™ and only a few thousand per year if they need the full Prepare/Care Services.
For more information contact Jack Anderson, jack@compliancehelper.com
Top Picks
- Manage Your Business Associates with BA Tracker
- Rebecca Herold and Associates
- ACR2 Solutions for Risk Assessment
Recent Blog Posts
- Business Associates in Massachusetts Must Be HIPAA Compliant by March 1.
- On-Line HIPAA HITECH Breach at St Joseph Health System in California
- HIPAA HITECH Rules in March Says Susan McAndrew, OCR's deputy director for health information privacy.
- ATTESTATION: Strengthening “Satisfactory Assurances” of the HIPAA Business Associate Agreement, Grant Peterson, JD
- First Lawsuit Against Business Associate for HIPAA Violation
- Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1
- more from the blog
