Business Associate Agreement Audit
Health organizations must use tools to encrypt POs in order to safely send them to partners and prescribe the use of these tools in their HIPAA professional association agreements. But the security of your data depends not only on the right encryption technology and training, but also on comfort. If a tool is too difficult, slow or unreliable to use, workers take links to do the job using uncertain alternatives such as unencrypted emails. However, it is not enough to define your partner`s responsibility for protecting PIs. They must also explain how they are expected. A HIPAA Business Partnership Agreement should look at how the partner has the right to use the PHI, who can access it and under what circumstances, and what protections the partner will benefit from subcontractors. According to the OCR, the clinic entered into a verbal agreement with a vendor whose case included the recovery of money from X-ray films. In exchange for the money recovered, the seller agreed to transmit the X-rays to the electronic media. The clinic failed to execute a written agreement with the provider prior to the delivery of the x-rays and patient information. These agreements are necessary under HIPAA. From a parathetic point of view, some AABs have had my compliance consulting firm HIPAA, EMR Legal, audited so that they can show potential customers their HIPAA EMR Legal Compliance Certificate as a business partner. You use this certificate as a marketing tool.
Even if I were to issue such a certificate incorrectly, which is highly unlikely, the registered company would be protected for properly verifying BA`s compliance status prior to the use of the BA. For more information on how Linford-Company can assist your organization in its compliance requirements, please see information about our corresponding organizational audit services: business partners are considered third parties who perform work or activities on behalf of a health organization or covered organization involving the use or disclosure of protected health information (1). A few examples may be: matching contracts are not only necessary to ensure compliance; they are essential to ensure adequate protection of the patient`sPHI. Hitech ACT requires health care providers to use electronic medical records for a number of tasks, including assisting with clinical decisions, registering and transmitting prescriptions and laboratory orders, and accessing their records. Even independently of HITECH, physicians regularly use electronic means to communicate with business partners and other clinics, process electronic invoices and exchange PHIs. Its objective should be to go beyond the minimum requirements imposed by the HIPAA Business Association Agreement. This will not only minimize the risk by holding your partner to account for maintaining excellent safety, but also ensure that you are not subject to an enforcement action in the event of an injury to your employee. Although HIPAA business association agreements have always been a requirement, enforcement measures were previously very rare. Until recently, the OCR focused almost exclusively on offences committed by covered companies.
All that changed in 2016. However, they are responsible for protecting protected health information (PHI) even if it is outside the site, and the HIPAA agreement on trading partners is the only tool that can do so. Your organization should carefully review HIPAA violations, as with any other security and compliance check.