Covered Entities Asking Business Associates for HIPAA HITECH Proof
I last wrote about the shift in opinions from the healthcare law firms, from focusing on BA agreements to getting "suitable assurance" from their BAs that they were compliant.
While I was not a big fan of the original "trickle down theory", I believe I am seeing an instance here in the HIPAA HITECH world. This article, http://www.blassaffiliates.com/JHIM_Fall_2010_HITECH_Accounting_of_Disclosures.pdf is yet another example of CEs being advised to seek due diligence documentation from their BAs.
I have also been getting an increasing number of calls from IT vendors who have been asked to prove that they are HIPAA HITECH compliant. The CEs are being asked to be the enforcers and I think that they will be the most efficient and effective managers of this task. The BAs rely on them for their day to day revenue and will respond to their requests much faster than they will to some vague threat of a fine from some federal agency they have never heard of before.
Very soon it is going to be a fact that if you want to do business with anyone that touches PHI you will have to be able to prove that you are HIPAA HITECH compliant. No one has authority to certify you or guarantee that you are compliant. If a company offers to give you HIPAA HITECH certification put your hand on your wallet. Each CE will have to establish their own standards for acceptance of proof. Some will send questionaires, others will ask for copies of policies and procedures and perhaps a few will actually visit their BAs to audit them. This is an expensive proposition however, and we think that the Compliance Meter tm is a reasonable alternative.
We have two different meters, one for our Care maintenance service and one for our CO-OP service. The Care meter is driven by metrics embedded in our Care program that measure the following areas; Policies Approved, Procedures Approved, Forms Approved, and Tasks Completed. Approved means that the initial phase fo setting up their privacy and security program (Prepare) the client has read and accepted our template without changes, or edited it and gotten approval from their personal Helper, a privacy and security expert. Tasks completed indicates the percentage of their monthly tasks that they have completed for the previous month. So in October you will see their score for September. We also keep a complete history of their tasks and modifications of policies, procedures, and forms. So the Helper is providing oversight throughout the process.
The CO-OP member gets a pre-edited set of P,P&F and starts out on the Care program. The Helper maintains the P,P&F and provides advice. They get a monthly task list which includes a monthly attestation form. The form contains a monthly quiz and a signed statement from the owner attesting to their compliance actions for the month. Their score is calculated and drives a single Compliance Meter tm .
We collect the data as a byproduct of our clients doing their compliance chores. We display this information in various formats for the convenience of our clients and their business partners. With the client's permission a business partner can drill down for further information such as viewing a policy, when it was edited, and when it was approved by their Helper. This can all be done remotely through the Internet.
We believe that the Compliance Meter tm provides the transparency needed by CEs, BAs, and Subs.