HIPAA Compliance as a Differentiator for Business Associates

The first reporting year for Meaningful Use Stage 1 has passed and covered entities are trying to see their way to the finish line for the 2015 reporting year which is bound to arrive before they know it. In preparation they are tightening the reins on measures designed to fulfill criteria that were obstacles for them during 2014 or those they heard were in the paths of other Covered Entities. A major obstacle that was confusing for many involved the requirements for business associate compliance and business associate contracts.

Detailed Business Associate Agreements (BAA) provide the specific guidelines to ensure Business Associates clearly understand the extent of their responsibilities to the covered entity. This is beneficial for both parties as the eligible provider knows what can be expected of a business associate (BA) so if additional services are required other BA’s can be approached. In regards to BA’s, their affiliation with the covered entity and the associated tasks may not account for 100% of their business operations interests. A HITECH compliant BAA lets BA’s know precisely what functions they are expected to perform for the covered entity. BA’S are then better able to use the agreement to determine how much time is required to complete the expected tasks for the EP in a manner that is fully HIPAA compliant. Basing time and personnel allocation on the BAA ensure that the appropriate resources will be available to meet all obligations for the EP as well as those independent of the EP. While many people focus on whether the BA is HIPAA compliant according to HITECH, often the problems is not with the BA but with the contract. This link will provide you with aSample BAA which is comprehensive and easily modifiable.

The collective world view of covered entities following the 2014 reporting year has significantly changed. While Hennie Penny may have run around needlessly warning everyone that the sky was falling when it was not, many eligible providers who did not take HIPAA compliance seriously during the previous reporting year found that for them, the sky, in fact, was falling. Given that Atlas is unavailable to hold the sky up in the coming year, these providers have become true believers in being over prepared next time around. This means that they will be checking and double checking everything a BA does since BA’s are generally offsite and not under the organization umbrella. What this means for you as a BA is that the covered entity with whom you’re associated will be asking for many more assurances that you are in compliance in the coming year than they likely did in the previous year. They will not just take your word for it either. While last year it may have been enough to assure them you had run your own risk analysis and all was well, this year they are more likely going to ask for written evidence of your compliance with everything they have listed on a checklist.

Business Associates need to be aware of how overwhelmed covered entities may feel due to the pressure to get it right this year and avoid losing incentive money. Smart potential business associates will take the initiative to identify key areas they are strong in and that will be valued by covered entities in order to differentiate themselves and their services in the marketplace from competitors seeking to land the same business. Waiting for covered entities with which a potential BA may have contact to enlighten the BA on the areas in which they can provide services will likely lose them business since covered entities are struggling with updating their own HIPAA compliance systems and don’t have time to enlighten potential business associates.

Making it as easy as possible for them to understand exactly how you can help them in their striving to be HIPAA compliant in the coming year without adding to their worry will be more likely to result in mutually beneficial relationships with covered entities. Being pre-emptive by outlining the functions you perform which will be useful for a CE and providing a demonstration of exactly how your services can be useful help convince them you are the right BA for the position. Presenting a complete overview of the steps you have gone through to become and remain HIPAA compliant showing them they do not need to micromanage you to avoid additional risks will help seal the deal. Once you have been brought on board as a BA for one covered entity, if you meet their expectations and provide documentation of your risk assessments and other methods of maintaining compliance without their asking you for them, they are bound to sing your praises. One satisfied CE is enough to start the ball rolling until you have more requests for your services than you can manage.

But Leading with HIPAA Compliance is Counterintuitive :

Yes it is. Which is exactly why as a BA you want to do exactly that. In a few years, everyone will have jumped on the HIPAA bandwagon. Yet if you want to get ahead of the pack, and use HIPAA compliance as a market differentiator the time to do so is now. The bottom line is that like taxes, no one likes all that it takes to become and remain HIPAA compliant in order to be a BA. However, businesses that can become BA’s have a greatly enhanced revenue stream. In order to stand out from your competitors, becoming fully HIPAA compliant now with a complete understanding of what this means along with the ability to demonstrate it to CE’s will get you the attention you need and the contracts you want. For those lagging behind, by the time they realize they too can add revenue to their organization by becoming a BA for one or more CE’s it may seem too great an investment in a market place that is already filled with those who got there first. This is not to say that once you establish HIPAA compliance everything will be smooth sailing. Getting to the top isn’t enough, it’s staying there that’s the tough part. It required work and constant awareness and observation of all aspects of compliance as well as updating your policies and ensuring that necessary training of any of your personnel is regularly conducted.

Does it sound like I have you confused with a CE with all these responsibilities? Welcome to the new Healthcare environment. It’s 2014 and HIPAAvigilance isn’t just for Covered Entities anymore.

Getting Up to Speed :

Before you can be seen as an expert in anything you have to have your own bases covered. This takes an investment of time and money at the outset. While the amount of money differs based on the realities of the business, the amount of time necessary to become well versed in the HIPAA rules and how to become compliant with them will remain sizable. When you do your projections for expected increase in revenue however, you will see it is well worth the time.

Make sure you know the rules backwards and forwards and ideally can recite them in your sleep. Once these become second nature, you will be able to anticipate what needs to be done in terms of risk assessments and mitigation, what your requirements are in regards to the privacy rule and whether are responsible from breach notification. The bottom line is that more is better. Instead of worrying about exactly which aspects of what laws you are required to fulfill, learn them all, keep them all, attest to them all and your covered entity will rest easy letting you do so also.