As of February 17, all business associates (BAs) must comply with the HIPAA security rule and parts of the privacy rule or face stiff penalties.
It's time to do a last-minute check to make sure they are.
Know your BAs. Most importantly, double-check your list of BAs, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Make sure that anyone who could qualify as a BA has been accurately identified as a BA. For example, your organization may not realize that that a consultant that has access to personal health information (PHI) actually qualifies.
Make sure organizations you have identified as BAs actually are, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.
In the early days of HIPAA, many organizations decided to err on the side of caution and made pretty much everyone sign a BA contract, says Ruelas. But that decision may come back to haunt them with this new compliance date pending.
Gauge your BAs' readiness. The next item on your last-minute checklist is to make sure that your BAs know that they are expected to comply with these regulations. Some organizations, even this late in the game, might not even know that they are required to be HIPAA compliant, says Ruelas.
Don't just ask your BA if they are HIPAA compliant, ask them specific questions to gauge their readiness, such as how they will handle specific scenarios, says Borten. Some BAs also may not understand the full extent of what they are now required to do, says Ruelas. For example, they might know they have new breach notification requirements, but are unaware of their other responsibilities, says Ruelas.
Make sure your BA contract language is up to date. Once you've checked up on your BAs, make sure you have legal contracts that include all the language required by the privacy and security rules and HITECH Act.
Put expectations in writing. For example, make sure that the covered entity and BA agree on action parameters when a breach is discovered. Spell out in the contract how long the BA has to report a breach to your organization once it is discovered.
Requiring that rapid notification will ensure that you are being notified in a timely manner and also that you can work with the BA to determine the cause and fallout from the breach by the time you are required by federal law to report it, he says.