From the September 2016 issue of HealthCare Business News magazine
Use the OCR 2016 Audits Protocol to check your work.
The OCR has guidelines for complying with the BAA requirements on its website. Use those guidelines to create a checklist to help ensure all required elements are covered. Ask yourself:
• What will the auditors be looking for with respect to audits?
• Does the covered entity enter into business associate contracts as required?
• Do these contracts contain all required elements?
Obtain and review policies and procedures related to the identification of BAs and the creation and establishment of BAAs.
An important part of this review is to evaluate whether or not policies and procedures accurately identify BAs and to determine BAAs that are consistent with the established performance criteria. Further, review a sample of BAs to evaluate whether or not the agreements are consistent with the established performance criteria the covered entity has established in its policies and procedures. Finally, review a sample of BAAs between the CE and such BAs for compliance with the most current provisions required by OCR, such as language requiring subsequent BAs/subcontractors to provide adequate assurances that they will abide by the HIPAA privacy and security regulations.
Inquire whether there is any knowledge of a pattern or practice of the BA that constitutes a material breach or violation of the BA’s obligation.
Obtain and review documentation of reports from the BA to the CE of any uses or disclosures not provided for in the BAA or the underlying contract. If so, notify the BA in writing of the breach and request a cure. If a cure is not forthcoming within the time frame allowed by the BAA, the BAA and the underlying relationship must be terminated. Alternatively, the CE can notify the Secretary of Health and Human Services or the OCR of the breach. Organizations must get their house in order with regard to contracts and vendors. Know who those vendors are and make sure all the necessary documentation is accurate and up to date. Since vendor information lives in several departments across the organization, one of the most helpful approaches is to funnel all vendor information through one department and centralize the information.
About the authors: Phyllis Garrison is the health privacy director at Eskenazi Health. Jackie McGuinn is the senior strategic marketing manager for GHX.Back to HCB News
