Blog | July 29, 2014 A Business Associate’s Compliancy Journey: Business Associate Agreements Small businesses commonly face challenges in HIPAA compliance that larger companies do not face. One such challenge may be creating and executing Business Associate Agreements with subcontractors such as document management companies, couriers, and technology providers. For most small businesses, day-to-day operations may not necessitate having an attorney on staff. Additionally, the business’s resources might not allow for intensive engagements with attorneys. As a result, when final rules are published, many small businesses will be forced to do their own research as to how to remain in compliance. This may be true in particular when it comes to developing a Business Associate Agreement for company use pursuant to the Department of Health and Human Services (HHS) final rule. 1. Look for Free Resources Online Before Involving an Attorney Fortunately, in many circumstances, resources will be available online. For example, the HHS’s website includes a free template for a Business Associate Agreement. Companies are free to edit the template to fit their needs. With much of the legwork potentially already completed, the edited template can then be sent to an attorney for review—a much more cost-effective solution than having a custom agreement drafted from scratch. 2. Find Ways to Achieve Procedural Efficiencies Depending on the situation, the revised template agreement—now with attorney approval—can then be sent out to clients and subcontractors to be signed. Small businesses may want to take this opportunity to kill two birds with one stone by conducting site visits with subcontractors as part of this process to ensure HIPAA compliance on their end. The compliance check may include inspecting the physical security of their workplace and the security of their networks or other technology resources that may be used in the course of their subcontracted business transactions. In the context of the HHS’s final rule for Business Associate Agreements, this process can additionally include sending out security assessment questionnaires to clients who may access personal health information (PHI) in the course of business. 3. Keep Track of Compliance Efforts—Including Subcontractor Compliance Small businesses may want to maintain a log listing each subcontractor, a copy of their signed agreement, the date their agreement was signed, and notes on any related site visits to ensure timely follow-up and organization. Using this system may improve the ability to achieve success in getting agreements signed, as well as provide verification of HIPAA compliance via site visits. This method may also ensure the maintenance of existing agreements with all current and future subcontractors. Although achieving HIPAA compliance is a daunting task for small businesses, there are resources available to help make the journey a bit less intimidating—and considerably more affordable—when a small business’s compliance team is willing to seek alternative solutions. Post Tags: HIPAA