When it comes to HIPAA, don't be bossy with business associates

Don't try to be Big Brother to your business associates (BAs) and put stress on your own healthcare organization as the new HIPAA omnibus rule goes into effect, warns Frank Ruelas, compliance officer at Gila River Healthcare in Sacaton, Ariz.

BAs know they will be directly liable for compliance under the HIPAA Security Rule and parts of the Privacy Rule, he says in an article at HealthITSecurity.

"They now have that direct liability attached to what they're doing as a function of their activity," Ruelas is quoted as saying. "You can no longer say there was no contract executed and they're not liable to HIPAA. Once they start fulfilling that function, they've become defined as a BA."

Ruelas, also a principal of HIPAA College, a privacy and security consultancy in Casa Grande, Ariz., says contracts stipulate that BAs will provide copies of policies and procedures upon request. But you probably don't want to audit every BA's security practices on top of your own organization's, especially if they number in the thousands.

"Many covered entities feel like they need to be a Big Brother to their BAs," Ruelas said. "We already have a Big Brother--OCR."

Indeed, setting impossible demands on BAs can torpedo those relationships, according to a recent article in the Journal of the American Medical Association.

Authors C. Jason Wang, M.D., of Stanford University and Delphine Huang of the School of Medicine at the University of California, San Francisco, say that the U.S. Department of Health & Human Services may have "significantly" underestimated the costs associated with compliance.

That's a jarring thought, since the Department of Health and Human Services' Office for Civil Rights (OCR) recently predicted that compliance will involve 32.8 million hours of work.

North Carolina's CaroMont Health recently outlined all the work required just to identify all its BAs.

To learn more:
- read the article