HIPAA HITECH "Satisfactory Assurances": The Compliance Meter (tm)
I was recently involved in an interesting discussion with a group of privacy and security experts concerning a covered entity's (CE) responsibility for getting "satisfactory assurances" that their business associates (BA) have taken the necessary steps to protect protected health information (PHI) entrusted to them by the CE. The basic requirements are to have documented policies and procedures, a compliance officer, and training for the staff.
How does the CE know that the BA is following these guidelines? Some say that having them sign a BA agreement is sufficient. One attorney suggested a variation of "Don't Ask, Don't Tell". Others say it depends on the level of threat that disclosure would represent. The Ponemon Institute study for 2009 found that 42% of data breaches were caused by BAs, so the threat is real. Most agree that an active program of managing BAs is important.
The next big question is how would a CE manage a network of hundreds of BAs? HHS has not given any organization authority to "certify" or "accredit" for HIPAA HITECH compliance so the CE must develop their own standards and require their BAs to comply. What can a BA offer as proof that they are compliant? They could send their policies and procedures to the CE or fill out a questionnaire. The CE could audit them or make an on-site visit but all of these efforts are expensive, time-consuming, and ultimately in-sufficient.
Compliance Helper has developed a solution for this problem. BAs and their Subs can enroll in one of our programs that delivers policies, procedures, forms, a step by step process and most importantly a personal Helper who is a privacy and security expert. Embedded in the on-line interactive program are metrics for measuring the current level of compliance in the BA or Sub. These are transmitted to a Compliance Metertm which can be displayed on the organization's website or deployed to their CE. The Compliance Metertm displays the percentage of approved policies, procedures, and forms as well as their score for the maintenance tasks completed that month.
Our Compliance CO-OP offers a similar program for only a $125 setup fee and $35 per month maintenance fee. This makes it affordable for even the single person BA such as a transcriptionist, coder, or biller.
Transparency is critical when CEs, BAs, and Subs are relying on each other to protect PHI. The Compliance Metertm provides the only "satisfactory assurances" available today.