Vendor Compliance

Several of our healthcare customers came together for a call last week to talk about the implications of the Health Information Technology for Economic and Clinical Health (HITECH) Act, particularly as it concerns vendors that meet the “Business Associate” requirement.   Representing hospitals from California to Florida to Michigan and in between, these systems shared a common concern about the best way to prepare for this act.  

If you’re not familiar with the BA concept, a business associate is role defined by the Department of Health and Human Services and is essentially any organization that assists a covered entity (e.g., hospital) with the performance of functions that involve access to protected health information (PHI).   In the HITECH Act, requirements that were once only the obligation of the covered entity are now expanded to be directly required of the BA.   The biggest concerns are along the data security and breach notification requirements with potential direct civil and criminal penalties.  

For the group, the questions ran along the lines of:   How does this change our existing relationships with Business Associates?  Will vendors resist continuing BA relationships because of these increased requirements?   What role does this play in vendor credentialing programs?

By the end of the call, few conclusions were reached.   The Act isn’t in force yet, and further comments and clarifications are expected from HHS.   The group did agree that there was a very helpful overview from Rachel Nosowsky, Esq. for the American Bar Association here.

Looking ahead, healthcare providers may want to include requirements related to the HITECH act in their BA agreements — such as requiring patient privacy training for employees and asking BA employees to acknowledge data security policies and practices, etc.

But one significant point of consensus:   The content and terms of Business Associates Agreements are the domain of the contracting effort, not the rep credentialing program.   A hospital should no more ask a rep to sign off on amended BA agreements than it would ask a rep to unilaterally approve a change in contract terms.