The Wolf Is Indeed With the Sheep
In the health law industry, providers often feel like people in positions like mine – attorneys, consultants, advisors, etc. – are like the little boy who cried wolf. As you will read below, we are not “crying wolf” about the need to update HIPAA Business Associate Agreements. You know the fable:
A young shepherd was bored watching his sheep. To amuse himself, he took a deep breath and yelled out “Wolf! Wolf! A wolf is chasing the sheep!” The townsfolk run out to the meadow to help the boy, only to find no wolf. Later, the boy yelled out the same thing again. “Wolf! Wolf! A wolf is chasing the sheep!” The townsfolk again appeared to help, only to find no wolf. Shortly thereafter, when a wolf indeed was among the sheep, and the boy yelled out, the townsfolk ignored him.
As a healthcare attorney, clients ask me to tell them when there’s a wolf among their sheep, so to speak. I hear from a lot of my clients that they get tired of advisors and attorneys always telling them that each and every new regulation out of Washington or Florida supreme court decision out of Tallahassee requires the client to change policies or do some change that, of course, requires the client to spend money on attorneys’ fees and consultants fees. Hospital and medical practice CEOs and in-house counsel get alerts from national trade organizations on a near-daily basis. Sometimes clients retort to me: “Ann, do I really need to do this?”
Well, as to the newest HIPAA changes, the answer is a resounding YES! There indeed is a wolf among your sheep if you have not inventoried, analyzed and amended your business associate agreements.
The deadline is September 23 – only three months from now – for any covered entity (physician group, hospital, imaging center, surgery center, etc.) to update their Business Associate Agreements to comply with the HIPPA rules that came out last year.
You want to move your HIPAA compliance review to the top of your list. And that’s not crying wolf.
Business Associate Agreements have long been required. They are the contracts between providers companies that see the providers’ medical information, medical records, or “protected health information.” Typical business associates include billing companies, auditors, IT staff, EMR providers, cloud computing hosts, shredding companies, practice management software companies, and copier leasing companies. Most health care providers have at least 10 business associates, on average. Knowing who your business associates are, and making sure you have contracts with them that comply with HIPAA, is required by law. What had to be in the business associate agreements prior to September 23, and what must be in them after September 23 are not the same. In other words, if your business associate agreements are compliant today, I’m pretty certain that they aren’t compliant when the new rule is in effect on September 23. The new rules really did contain a “wolf,” requiring amendments to business associate agreements.
Because this is mandatory and could be substantial amounts of work for clients, we have put together a number of packages from clients to choose from for their HIPAA update work. If you are interested in seeing the options in scope of work and price for us to help your company identify, analyze and update your business associate agreements, email firstname.lastname@example.org.