Isabella Porter is the director of compliance and privacy officer of District Medical Group and author of the chapter “Patient Privacy and Security: Business Associates” in the Complete Healthcare Compliance Manual.
In this podcast she shares the key consideration that covered entities – physicians, hospitals, health plans and others who fall under the requirements of HIPAA – must consider when working with their various business associates (BA) with whom they share personal health information (PHI).
When considering a potential new business associate she recommends ensuring that the vendor understand that it meets the definition of a business associate. Quite often they do and already have on hand a business associate agreement. It’s preferable to ask them to default to your own agreements, but if they do not – for practical reasons business associates with a large number of customers cannot accommodate each customer’s agreement – see if they are willing to amend their own, if necessary.
When assessing a BA, also take the time to determine if they are using subcontractors. If they do, they should be referenced in the BA agreement. Also, ask the vendor what kind of checks they are doing on their vendors and their own ongoing monitoring efforts
One important thing to also check: where the data is housed. If the servers are outside of the US, there may be other laws to consider such as the European General Data Protection Regulation (GDPR).
Listen in to learn about the requirements of ensuring the safety of your BA agreements, including ten elements that need to be included in each one.