Where Do I Go From Here?
Until recently Business Associate Agreement Management (BAAM) was relatively easy.
Did You Know?
Most industry stakeholders view BAAM as a low-priority compliance responsibility that essentially amounts to checking off another HIPAA requirement.
Not Anymore …
Today, the stakes surrounding Business Associate Agreement (BAA) compliance have become increasingly high.
Compliance professionals need to be equipped with a deep understanding of how these agreements fit into their privacy and security strategy and how to optimally manage them.
Whether you’re new to or have been on the front lines healthcare compliance for many years, we applaud you and everything you do to protect your organization’s most valuable asset: Patient Data
BAAM: So, Where Do You Begin?
As a compliance officer, you might find that you’ve inherited a multitude of messes. Start with your documentation, verify it exists and is not out of date or obsolete. Other areas to include in your examination (but not limit only to):
- Incomplete risk analyses
- Unmitigated risks
- Policies and Procedures
- Unperformed compliance audits
- Workforce training program
Depending on the size of your organization, you may have a team of professionals working with you or you may be a one-stop-shop for all compliance matters.
Either way, all healthcare compliance professionals share two common realities:
- Your organization shares data with a growing number of business partners and vendorsAND
- Current and signed BAAs need to be in place BEFORE any protected health information (PHI) is exchanged with Business Associates (BAs) to comply with HIPAA.
BAA Management: It’s not for the faint of heart
The first steps to optimal BAAM requires answering key questions about each BAA as defined in Episode 73: Know The Rules! Business Associate Agreement Management.
I understand completely that this type of oversight and analysis is tedious and time-consuming—especially since the average health system maintains thousands of BAAs, and successful and growing BAs often house hundreds, if not thousands of these contracts as well.
Truth Time …
Today we’re going to get REAL!!
Here is where the rubber meets the road and the road …
Let me propose a few questions for you to ponder to evaluate your organization success:
- Was all the information available?
- How long did that take?
- How many BAAs were in that folder?
- Now imagine conducting this analysis for all BAAs in your organization?
If this seems like an impossible task, you probably did the audit correctly.
Getting Into the Weeds of Your BAAs
Now we’re going to put the data you collected to use to continue our BAA analysis.
Answer the following questions (using the same BAs from our previous exercise from Episode 73: Know The Rules! Business Associate Agreement Management:
1. What are our Data Rights?
a) Can we de-identify PHI, aggregate and sell the data?
b) Across all of our vendors, are we allowed to:
i. De-identify PHI from each vendor
ii. Aggregate PHI for and across vendors
iii. Sell the data
2. What are our Limitations of Liabilities?
a) What is the specific limitation of liability for each of our individual vendor relationships?
b) What is our potential total liability across all of our vendors?
3. Do we have enough Cyber Liability coverage?
a) What are our Cyber (or E&O) Insurance requirements, specified by our vendors?
b) What are the Cyber Insurance requirements (if any) for each of our vendor relationships?
As with any weeding job, we often find what we thought would only a minimal amount of time has turned out to be a never ending project. If this is where you find yourself, rest assured that you are not alone in your struggle.
There are many reasons why BAAM has become fragmented. They include merger, acquisition and/or a strategic partnership in recent years, or, it has simply been growing.
Moving Toward Optimal BAA Management
BAAM is your responsibility and just like weeding, it is better when we don’t let it get out of control.
While the current state of BAAM in your organization is not your fault, it’s vitally important that you clean it up.
And fortunately, there are tools that can help.
Covered Entities and Business Associates need to understand that patients are entrusting YOU with their most private and intimate details and they expect it to remain secure!
After all, it is YOUR practice, YOUR patient’s trust, YOUR reputation and YOUR legacy!
Why are you leaving yourself wide open to these risks?
Now it is your turn to take action!!
Developing your BAAM process will help your organization understand the risks and requirements detailed within your BAAs. To learn more about how to automate your BAA review or any other part of what goes into a BAAM process schedule a call with us today!