Some More On Business Associate Compliance

Business Associate (BA) compliance has become a complicated concept in the world of health care, not to mention the real world confusion with the Affordable Care Act and all its problematical pages and pages of complex rules, regulations, mandates and other issues. Actual BA compliance has to do with a health care organization’s ability to document how its BAs are safeguarding patients’ protected health information (PHI) while diminishing any associated risks with handling that data.

Health care organizations themselves are becoming more and more aware of their BA risks. They are raising expectations of their associates to perform and provide pertinent documentation necessary to prove that they are not only compliant with HIPAA, but that they have an effective risk management system in place as well. Before HHS made its addendums to federal HIPAA regulation, BAs were given somewhat of a free reign with their compliance. However, since September of 2013, BAs must now meet the same standards as the hospitals, clinics, and doctors that they service or represent.

As far as the kind of proof necessary to meet compliance, it could entail BAs completing a questionnaire, but it could also involve more than that, like recent risk assessment reports, policies and procedures concurrence, and staff training documentation. Business Associate Compliance Agreements (BAAs) must be signed by BAs to protect a Covered Entity (CE) from liability in the event that a BA is found out of compliance with HIPAA.

The definition of a BA has changed since HIPAA was established in a number of ways. It now includes not only BAs but a BA’s subcontractors as well. Any subcontractor that handles PHI on behalf of a BA is beholden to the same HIPAA regulation as the BA itself. The BA is liable for the acts of their subcontractors, and the BA and their subcontractors are required to have agreements and assurances between one another concerning their relationships and expectations. The BA must distinguish between giving direction to their counterpart subcontractors, who are unfamiliar with HIPAA guidelines, while putting forth the kind of authority that makes for workable relationships.

These kinds of requirements bring about new sources of liability to the BA. They not only have to comply with the law, but they must improve and adjust their position within the HIPAA parameters given to them. In order to operate under the provisions of HIPAA, BAs have to carefully separate or distance themselves from agency relationships with their subcontractors, and be able to efficiently utilize indemnification provisions in their BAAs. The BA works toward finding the right strategies to limit its exposure to new sources of liability or potential breaches, while effectively managing other risks to their HIPAA compliance.

BAs are required to comply with HIPAA regulation, and their model of operations has changed significantly with increased responsibility for subcontractors as well as the pressure of increased liability. The BA’s expanded model of operations and adaptations to HIPAA regulation can be difficult tasks, with the accountability PHI posing just as much of a challenge.

Meeting Exacting Regulatory Demands through Compliancy Group's Policy Management Software

How do today's health care professionals meet the ever-increasing demands for regulatory compliance and reporting? Some hire armies of analysts and clerks, putting a big dent in their bottom line. Others look to big name consultancies, gambling their success on the recent college grads that populate such firms.

A growing number of savvy, innovative managers have found a better way. These professionals, who work at hospitals, private practices, community medical centers and specialty practices are building successful regulatory compliance programs around The Guard, an innovative Policy Management Software from Compliancy Group.

Compliancy Group was founded in 2005 by a high-powered team of professionals whose diverse backgrounds included auditing, compliance, risk management and software development. They saw an opportunity to address the shortcomings of traditional HIPAA consulting by developing a robust, web-based policy management software tool, The Guard. Through this software, Compliancy Group offers a complete compliance tracking and management solution at a fraction of the time and cost of more traditional approaches. Features include a compliance management repository with extensive, up-to-date regulation lookup; account management capabilities covering both members and vendors; audit & remediation features; incident tracking, training tracking and document registration; and a full featured reporting module.

Praise for Compliancy Group has come from leading technology and healthcare industry sources, as well as Compliancy Group's own clients. CRN, a well-regarded publisher of technology news and analysis, praised The Guard as one of 10 "Hot HIPAA Compliance products," highlighting Compliancy Group's software as "easy to use and easy to understand." eClinical Works hailed this "simple, cost-effective, web-based solution, that can help any organization regulate every aspect of HIPAA compliance," adding that "Compliancy Group allows anyone to simplify the challenge of compliance, whether they are an experienced compliance expert or a small medical practitioner."

Compliancy Group also works to acquaint health care managers with the increasing mandates of HIPAA, such as the 2013 Omnibus Rule. This mandate strengthens patient health information protection while increasing noncompliance penalties to up to $1.5mm per violation. Through Compliancy Group's webinars, recognized industry experts can educate health care professionals about these challenges and available solutions.