HITECH & BAA & Vendor Credentialing

September 11, 2009 at 5:33 pm 3 comments

Several of our healthcare customers came together for a call last week to talk about the implications of the Health Information Technology for Economic and Clinical Health (HITECH) Act, particularly as it concerns vendors that meet the “Business Associate” requirement.   Representing hospitals from California to Florida to Michigan and in between, these systems shared a common concern about the best way to prepare for this act.  

If you’re not familiar with the BA concept, a business associate is role defined by the Department of Health and Human Services and is essentially any organization that assists a covered entity (e.g., hospital) with the performance of functions that involve access to protected health information (PHI).   In the HITECH Act, requirements that were once only the obligation of the covered entity are now expanded to be directly required of the BA.   The biggest concerns are along the data security and breach notification requirements with potential direct civil and criminal penalties.  

For the group, the questions ran along the lines of:   How does this change our existing relationships with Business Associates?  Will vendors resist continuing BA relationships because of these increased requirements?   What role does this play in vendor credentialing programs?

By the end of the call, few conclusions were reached.   The Act isn’t in force yet, and further comments and clarifications are expected from HHS.   The group did agree that there was a very helpful overview from Rachel Nosowsky, Esq. for the American Bar Association here.

Looking ahead, healthcare providers may want to include requirements related to the HITECH act in their BA agreements — such as requiring patient privacy training for employees and asking BA employees to acknowledge data security policies and practices, etc.

But one significant point of consensus:   The content and terms of Business Associates Agreements are the domain of the contracting effort, not the rep credentialing program.   A hospital should no more ask a rep to sign off on amended BA agreements than it would ask a rep to unilaterally approve a change in contract terms.

Entry filed under: Uncategorized. Tags: , .

Getting the Word Out HHS Breach Notification Form On line

3 Comments Add your own

  • […] policy is just one example of the type of event that raises red flags.  (We touched on this issue earlier. )    Look for vendors to ask the credentialing outsourcers to provide the ability for […]

  • 2. HITECH & HIPAA & BAA « Vendor Compliance  |  February 4, 2011 at 4:37 pm

    […] first touched on this issue in a September, 2009 blog post, “HITECH & BAA & Vendor Credentialing.”   At that time, Vendormate hospitals were brainstorming about how to approach the new data […]

  • 3. seattle public schools  |  January 6, 2014 at 8:41 pm

    Everything is very open with a clear description of the issues.
    It was truly informative. Your website is extremely helpful.
    Thank you for sharing!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Upcoming Events

Sign up for Vendormate News

2013 Vendor Credentialing Summit
August 14 - 15, 2013

July 28-31, 2013
San Diego, CA
Booth 1121

Recent Posts

Archived Posts

Vendormate on Twitter

Error: Twitter did not respond. Please wait a few minutes and refresh this page.