100th HIPAA HITECH Blog: How To Manage Your Business Associates and Sub-Contractors
When I first started writing this blog all of the healthcare law firms were saying that all the covered entity (CE) had to do was update their business associate (BA) agreements. Of course the law said that they needed "suitable assurance" that their BAs were compliant but many felt that they didn't want to look too closely for fear that they would find something that needed fixing. The law also said that if a pattern of non-compliance was detected the CE must urge the BA to fix it, or sever the relationship and report them to HHS. I know of no examples of this actually happening. Instead the BA signed whatever was sent to them, filed it without reading it, and went merrily on their way, secure in the knowledge that no one was going to show up and ask to see their privacy and security program.
With the publishing of the NPRM, HHS made it very clear that the CE needed to manage their BAs and Subs and this started being reflected in the legal blogs. Here is an example from an interview published in Healthcare Informatics:Preparing for HITECH and HIPAA Compliance Interview: Amy M. Gordon, Health and Welfare Benefits Expert, McDermott Will & Emery
HCI: Can you elaborate on the culpability of each entity in the chain?
Gordon: "In the past, if you had a contract with a business associate and they were the ones that were committing the violation, but the covered entity did not know of the pattern of practice of the violation, then essentially the covered entity was off the hook.
But these proposed regulations remove this exception. They make a covered entity liable for civil penalties, due to a business associate or business associate’s subcontractor’s violation, regardless of whether there was a compliant contract in place or whether the covered entity knew of the violation or acted appropriately in response to the violation."
The entire article can be found here:http://www.healthcare-informatics.com/ME2/dirmod.asp?sid=E3EC2A8000454A258DF3AA343FDBDA9E&type=Publishing&mod=Publications%3A%3AArticle&mid=8F3A7027421841978F18BE895F87F791&tier=4&id=81AA7F1E2385444D9B87A2045A107C8E
We realized that this created a whole new aspect of HIPAA HITECH, managing your BA and Subs. Also the question raised was how do you get small, or even tiny companies to comply? We developed two unique services. The first was the Compliance Meter tm. This is a widget attached to embedded metrics in our Prepare and Care services that measures the level of compliance of the BA or Sub in four areas; Policies Approved, Procedures Approved, Forms Approved, and Tasks Completed. The widget reflects their compliance in real time and may be displayed on their website or deployed to their CEs or other business partners. So now, at a glance you can see their current level of compliance.
The next development was the Compliance Cooperative or CO-OP. When the NPRM added sub-contractors we realized that this would include single persons working as 1099 workers. The challenge was to find a way to extend our services to them at a price they could afford and a process that they could manage. The basic concept is that if businesses share a business model, they can share a website with policies, procedures, forms, monthly task lists, and a privacy and security expert to support them. By sharing the website the cost is greatly reduced and with monthly attestation we can still give them a score every month and reflect it through a Compliance Meter tm.
Adding all this up, what the CE gets is a free method of managing their BAs and Subs. The BAs and Subs get a low cost, efficient method of getting compliant, staying compliant and proving compliance with the Compliance Meter tm
This is especially important in light of another section of the NPRM which stated HHS's expectation that if a BA had a BA agreement in place, that they were compliant with the terms of that agreement, now.