Written by: Daniel Haurey on 10/02/13

If you use an IT services company to support your medical practice, the time has come and gone for them to understand and abide by the “Business Associate” (BA) requirement as laid out in the September 23, 2013 Omnibus Rule.  It requires IT solutions and services providers to sign Business Associate Agreements (BAA) with their healthcare clients. These agreements acknowledge the firms’ roles in keeping their clients’ protected health information (PHI) safe and sound and describe their shared liability in the event of a breach.

Select a partner that shares in your liability.

As a healthcare practice, you need your IT support vendor.  But this means extending access to a Covered Entities (CE) PHI to their employees and possibly sub-contractors.  Even though IT service providers may try to convince you that they are exempt, in most cases, it is clear that they are no exceptions and as such need to sign HIPAA Business Associate Agreements describing how they will protect PHI in all forms.  According to Stevie Davidson, CPHIT, a Governor appointed member of the New Jersey State Health Information Technology Commission, “Many BAs are in denial and feel if they hide and don’t sign an agreement will preclude them from any responsibility.  This is not the case.  Whether there is an agreement or not, the CE, BA and their sub-contractors are still liable.  If there is a breach, which results in an OCR investigation, NOT having the appropriate agreements in place will prove a lack of operational compliance that will lead to further investigation of policies and procedures across the board.”

Choose Wisely and Look for Healthcare Experience

Before choosing an IT services company, or any vendor for that matter, make sure they have significant experience in the healthcare arena. Ask questions and don’t be afraid to push back if you need to and consider alternative options.  Ensure your potential IT partner has had their own HIPAA Risk Assessment performed as well as having updated policies and procedures in place.  Per Davidson, The CE should always provide their own BA Agreement to the Business Associate to ensure that all of the necessary contractual requirements are in place.A BA Agreement coming from the CE ensures that obligations that meet federal and state requirements are provided and adhered to.  In addition, special considerations should be reflected such as termination and other criteria based on what they are specifically doing for you.”

Today’s technology-driven healthcare industry faces all sorts of IT challenges and strict regulatory requirements on data security.  Millions of patients and hospitals have been affected by major breaches in the last few years.  A venture into Health IT isn’t for everyone. Remember that experience and specialized training and awareness matters now more than ever before.

Stevie Davidson is the founder of Health Informatics Consulting, LLC.  She is a seasoned leader in healthcare, quality improvement, and information technology.


Medical, EMR, EHR