Your work isn’t done after signing a contract with a business associate (BA). You need to do more than simply assume that your BA is following through on terms of the contract.
Although the BA is performing important continuing functions, says John R. Christiansen, JD, managing director at Christiansen IT Law in Seattle, covered entities should provide regular (e.g., annual) audits for security compliance. Consider checking for some aspects of privacy compliance as well.
“The BA may want to conduct its own audits and provide the reports to clients in order to avoid audit duplication, which is fine, as long as the auditor is genuinely independent and competent and the report is complete,” says Christiansen.
William H. Roach Jr., MS, JD, partner at McDermott Will & Emery in Chicago, says periodic inquiry is sufficient unless you are suspicious that the BA is violating the agreement.
“In that case, the covered entity is required to take corrective action up to and including terminating the BA agreement if the BA does not take the necessary corrective action,” he says.
Reproduced from HIPAA Weekly © 2008 HCPro, Inc., 200 Hoods Lane, Marblehead, MA 01945. 781/639-1872. www.hcpro.com. Used with permission.