4 Reasons why you need a business associate management system

The management of business associate agreements is causing a lot of aggravation. Over a decade ago, health care quality, compliance and security professionals were most concerned with avoiding the improper management of policies and procedures.

Now that policy management systems are all in the late adopter phase, the shift has turned to business associate agreements (BAAs). These new documents come with a certain level of uncertainty and ambiguity behind them causing health care compliance and security professionals a great deal of unease.

Before going further, it would be prudent to define what a business associate is. According to the U.S. Department of Health and Human Services (HHS) website - "a business associate is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information."

Now what is a covered entity? Well, within the guidelines of the HIPAA rules, covered entities are "(1) health plans, (2) health care clearinghouses and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards."

Now that we've covered those definitions, you can better understand what a Business Associate Agreement is. BAAs are the contracts between a covered entity and a business associate. The frustration for health care workers dealing with BAAs lies with how to properly manage this document. These documents are quickly becoming a top priority for compliance officers and contract managers.

Like policy and procedure management, Business Associate Agreement management is vital for health care organizations because mismanagement leaves them exposed to fines and more importantly potential breaches.

Here are the top 4 reasons why hospitals should have a Business Associate Agreement System:

1. HIPAA has very stringent guidelines about how this data needs to be protected. There are significant financial and brand deterioration for the breeches of this information. For example, fines can be as high as $50,000 per violation. The minimum penalty per year is $1,500,000 USD per violation. When it comes to the possibility of data breaches and fines, it is just too costly not to have a system in place. A HIPAA violation can cost more than $5 million per incident - a cost that most hospitals and health care facilities cannot afford to sustain. Not to mention the severe impact on the hospital brand and reputation, as well as the subsequent impact on the hospital's revenue.

2. Business Associate Agreements alone no longer remove liability. In the past, entities that provided PAI data (Covered Entities) to partners (Business Associates) could remove their liability for disclosure of PAI data due to a Business Associate's mismanagement. This was done by signing Business Associates agreements with their Business Associates that outlined their responsibility to protect this data. Changes in the HIPAA rule have now placed more responsibility on the covered entity to assume that their business associates are taking the proper action to protect this data. Business associate agreements will no longer suffice. A niche compliance system will be needed in order to keep up with the complexities of the task.

3. Manual management of BAAs is becoming impossible. Today most healthcare facilities use spreadsheets that list all of the agreements they have and when they were signed. There is no way for healthcare professionals to monitor the risk profile of their business associates. There is also no evidence or paper trail to show that they are trying to do this. An average hospital has more than 500 business associates and the sheer task of stratifying their risk monitoring compliance and providing oversight is impossible.

4. Simply going after the low hanging fruit is not good enough. Organizations are doing one of two things. They are either putting their focus solely on Business Associate Agreements they consider high risk (someone utilizing a large amount of PHI data) or they are taking big risks under the knowledge that they cannot monitor everything. Some types of business associate management systems will provide a simple and effective way to centralize and manage agreements as well as get real insights into compliance.

Saud Juman is CEO and founder of PolicyMedical, which provides Policy Management, Contracts Management and Business Associate Management software, and support, for the healthcare industry in North America. He can be reached at sjuman@policymedical.com

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.​

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars