What
should the CE know about a prospective BA?
To
begin, the CE should confirm any and all names that have been used by the BA,
whether now or in the past, so to confirm that none of these names are listed
in the Office of
Inspector General’s List of Excluded Individuals and Entities (OIG) or the General Services Administration’s System for Award
Management f/k/a the Excluded Parties List System (SAM). A
review of the OIG Corporate Integrity Agreement database is another way to
confirm any prior enforcement actions that may have involved a prospective
BA. Additionally, if the BA maintains certain licenses, registrations or
other credentials necessary to perform their services on behalf of the CE,
these qualifications should be verified by the CE. Review of business
references, or maybe even a telephone interview with another CE, may also be
helpful.
Proof
of insurance coverage and some information about claims history should be
requested. A general search for any public filings about the BA can also
provide additional information about their resources, business relationships
and reputation. The BA may also be asked to disclose any outside business
relationships which might represent a conflict of interest in doing business
with the CE.
Because
the BA is subject to HIPAA, as a result of the HITECH amendments, the CE should
inquire about the BA’s HIPAA compliance program, including but not limited to
the recent completion of a HIPAA security risk assessment process, the adoption
of HIPAA policies and procedures, and the extent to which the BA will engage
the services of subcontractors, from time to time, to assist in the performance
of services. Although not a HIPAA consideration, many CEs take additional
steps to confirm the health status of the BA who will have any physical contact
with the CE’s workforce or clients, including but not limited to up-to-date
vaccination records and negative TB testing results.
How
should the CE gather this information about the BA?
The
CE can conduct its due diligence using a range of techniques. The BA
could be asked to submit to a formal request for proposal process or the CE may
ask the BA to complete and return a due diligence questionnaire.
Selected HIPAA compliance documents may be requested as well.
Depending on the nature of services to be performed, an in-person interview or
even a site visit may be in order.
In
summary, the use of a well-drafted BAA, in addition to the use of an effective
due diligence process not only makes for a proper introduction to the BA but it
also serves another important purpose in allowing the CE to educate the BA and
to communicate the importance of HIPAA compliance long before the parties sign
on the bottom line.
If
you have any questions or require additional information regarding the
establishment of a HIPAA-compliant CE-BA business relationship, please contact
Susan Ziel at sziel@kdlegal.com, Mark Morrell at mmorrell@kdlegal.com, Meghan McNab at mmcnab@kdlegal.com or Jaya White at jwhite@kdlegal.com.