While we've spent time on helping Covered Entity Admins and Users these past couple of months, I thought it was time to help Admins spot check their Business Associates. In January this year, we saw an update to provisions for our Business Associate Agreements that you should be included in any new agreements you sign. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html Business Associates must meet all the compliance requirements by the September 23, 2013 deadline even though you have until September 22, 2014, to replace all your current agreements.
Your revised BAA should point out that BAs now also carry many of the same obligations for security efforts, breach notification and security awareness education. Reach out to your favorite medical association and they can probably help you get updated agreements to use.
While BAs are now liable, CEs obligation doesn’t stop with asking for the signed agreement, CEs should still exercise some diligence to make sure that BAs are exercising good security habits, have policies, conduct periodic security audits and conduct internal security awareness training.
CEs should also make sure that service organizations they work with also alert their subcontractors to their obligations, if they are handling patient data. Make sure you know of any subcontractors your providers are using and that they are making them compliant.
Make sure your efforts don’t stop at asking for a new signed document. Since 2009, it is estimated that Business Associates were responsible for 20% of the reported data breaches. Check with your vendor contact and ask them to explain some of the things they are doing to protect their systems and potentially your data.