Managing Business Associates to Ensure Low Risk
We have recently received several requests from clients who are covered entities for "how to" instructions on managing Business Associates. In January we gave you instructions for being prepared for HIPAA Audits. One of the areas we suggested you focus on was: knowing the definition of a business associate and who your business associates are. Do you have a list of your business associates? Are business associate agreements in place? We suggest you use the tools and resources at your command to answer these questions and manage your Business Associates in a HIPAA compliant manner.
Here are your resources for managing Business Associates and Vendors:
BA Decision Matrix Tool Use this form to determine which (if any) of your vendors is considered a business associate or sub contractor.
Updated Business Associate Agreement Form Have each of your business associates fill out and sign this form. This agreement is to be used between covered entities and business associates. This agreement contains the new HIPAA Omnibus language effective 2013.
BA Cover Letters You may want to send a cover letter to your Business Associates when requesting an updated agreement. This is a sample letter that can be attached to your business associate agreements providing instruction to your business associates as to why you need them to complete the business associate agreement.
For those who are using our Corporate Plus system, you will also have these additional tools:
- OIG Exclusion List Service: All Employees, Business Associates, and Vendors, are checked when added to the system, then monthly thereafter. All individuals and entities uploaded to your online account are then cross-referenced against the Office of Inspector General's List of Excluded Individuals/Entities (LEIE). Any individuals or entities who are listed on the LEIE will be identified on your monthly report.
- Online BA Agreement Storage: Your uploaded Business Associates and Vendors will be cross-referenced against the Office of Inspector General's List of Excluded Individuals/Entities (LEIE). Any vendors who are listed on the LEIE will be identified when you click on them. They will also appear on your monthly OIG Exclusion List report.
The OIG has revised their process for evaluating exclusions under section 1128(b)(7) in 2016. There is now increased focus on checking for excluded individuals and entities. This change reinforces the need to verify your staff, business associates and vendors through the LEIE checking system monthly. Using the resources listed above will ensure that you are managing your Business Associates in accordance with federal regulations.
As always, if you have any further questions about your HCP website or compliance program please reach out to your contact at HCP or simply email [email protected]