A decade ago, management of Business Associate Agreements (BAAs) was relatively easy. In fact, for most industry stakeholders, it was viewed as a low-priority compliance responsibility that essentially amounted to checking off another HIPAA requirement.
Today, the stakes surrounding BAA compliance have become increasingly high. Compliance professionals need to be equipped with a deep understanding of how these agreements fit into a privacy and security strategy and how to optimally manage them. In this white paper, you will learn:
Welcome to Compliance!
If you are new to healthcare compliance, we applaud your efforts to protect the industry’s most important asset: patient data. We also recognize the overwhelming nature of navigating healthcare’s complex regulatory web and hope to make your job a bit easier.
So, take a deep breath, exhale and consider how the following information can help you optimize one of healthcare’s growing compliance challenges: management of Business Associate Agreements (BAAs).
Depending on the size of your organization, you may have a team of professionals working with you or you may be the one-stop-shop for all compliance matters. The reality is that compliance staffing models vary widely across hospitals, health systems and other healthcare service providers. Yet, regardless of structure, all healthcare compliance leaders share a common reality: your organization shares data with a growing number of business partners and vendors, and BAAs need to be in place to comply with HIPAA.
BAA Basics: Where do you fit?
HIPAA requires that Covered Entities (CEs) and Business Associates (BAs) enter into a written agreement—the BAA—that ensures protected health information (PHI) is managed in accordance with HIPAA guidelines.
An organization is either a CE, BA or a hybrid of the two.
The lines can get blurred. That is why you must not only understand your organization’s classification, but also how that classification may change with each agreement and relationship.
BAA Management: So, where do I begin?
New compliance leaders often find that they have inherited multiple messes: risk analyses and privacy policies are out of date, compliance audits are behind and of course, BAA management is a disaster. If this is you, rest assured that you are not alone in your struggle. BAA management has become increasingly complex in recent years due to a perfect storm of security and regulatory initiatives.
As the compliance lead, you were likely provided documents that describe the policies and procedures related to all areas of privacy, including HIPAA. You were also likely handed a pile of BAAs in either digital or paper format, although it is probably difficult to determine if the stack you are holding is complete or if others exist.
There are many reasons why BAA management has become fragmented. For example, if your organization is like many in healthcare, it has likely completed a merger, acquisition or a strategic partnership in recent years. Or, it has simply been growing.
The momentum behind healthcare consolidation trends shows no sign of slowing, and while these movements are great for creating economies of scale, they wreak havoc on BAA management. Compliance directors like you must often navigate across multiple facilities and departments to locate agreements within disparate systems and paper files. In addition, your organization may not have a centralized compliance function, which means you must identify and reach out to others who have ownership of BAAs. You are not alone in your compliance headaches!
As a simple exercise, industry experts suggest pulling a sample of existing BAAs and writing down the following information about each one:
Enter your work email to continue reading this amazing white paper.
PHIflow is a data and technology company combining artificial intelligence and legal expertise to help companies understand their HIPAA Business Associate Agreement (BAA) risks and requirements.
530 7th Avenue, M1, New York, NY 10018