In the many years that we have been working in the healthcare landscape, it has changed beyond recognition. Due to avoidable injuries, and even deaths, in healthcare facilities, various forms of legislation have been brought in to try and prevent this. This means that healthcare facilities are constantly having to stay up to date with these changes and make sure they abide by the developing forms of legislation, which further complicates their workloads. There are various tools that can be used to help deal with these complications, one such tool is a BA Manager. Upon reading this article, you will hopefully learn more about what it is used for, and make a decision about whether it is the right tool for your organization, or whether another offering might be better suited to your needs.
The Health Insurance Portability and Accountability Act or “HIPAA” permits health care providers and health plans (known as “Covered Entities (CE)”) to share health information with third party vendors, which are referred to as “Business Associates (BA)” under HIPAA’s regulations. In the past, HIPAA regulated Business Associates by requiring Covered Entities to manage them through basic contractual relationships through signing Business Associate Agreements (BAAs). Having these in place freed the Covered Entity from any liability of a Business Associate breach.
This all changed in 2009 when Congress made Business Associates directly accountable to regulators for compliance with HIPAA’s regulations. With this enhanced accountability also comes more liability for the Covered Entity to assure that their Business Associates are following the required HIPAA guidelines. A Business Associate Agreement contract is no longer enough. They need to have systems in place to assure the ACTUAL compliance with these regulations that include, assuring that they are taking proper security measures to protect their data.
Covered Entities and their Business Associates now are subject to civil and, in some cases, criminal penalties for making uses and disclosures of PHI in violation of HIPAA. The oversight and management of this now becomes an even more daunting task for the CE and their BA’s.
Large Covered Entities, such as health plans and health systems operating in multiple regions across the country, contract with thousands of BA’s and this is usually an estimate as they have no structured systems in place for this oversight. At best, most are using Excel Spreadsheets or some antiquated software to catalog the BA’s but have no means to validate that their BA’s are following the appropriate HIPAA regulations.
It is because of the lack of tools to help in this oversight, that many find the cost to try and enforce this is too burdensome and they do not have the resources to evaluate and audit their BA’s. This is putting the CE’s at an enormous risk. It is estimated today that more than 40% of HIPAA breaches are due to BAs and these breaches come at a significant cost in penalties and reputation to the CEs and the BAs as well. In general, most Covered Entities do not have the resources to engage in any type of ongoing monitoring of the privacy and security activities of their Business Associates.This is where newer more sophisticated technology can play a role. Using solutions that can help centralize and prioritize the risk profile of all of the organization’s BAs is the first step. The next step is to leverage more automated auditing and surveillance tools that can give the Covered Entity a control tower look into the risk and compliance profile of all of their BAs and thus, greatly help in managing your business associates.
In order to reduce your risk of accountability, it is important to put in place the appropriate measures. At PolicyMedical, we offer three tools that can be used to help; BA Manager, Contracts Manager, and PolicyManager. You can click on each of these offerings to find out more about their use. You may deem that they could be very useful for managing your risk and liability, or you may deem that you don’t need such tools. We can answer any further questions you may have if you contact us, or alternatively, you can request a demonstration to see how the tools work.