Home Health & Hospice Week

Compliance:

Here's Why You Should Review Your Contracts Annually

Warning: Evolving cyber criminals may necessitate contract changes.

You can’t just start using a new contract and then forget about it, unless you want to court HIPAA compliance risks and fines.

As part of your HIPAA risk assessment, a thorough review of your business relationships will help you determine what agreements are necessary to align with HIPAA. It’s critical to update Business Associates and BA agreements, especially, because the HHS Office for Civil Rights will go right to your risk management practices after a breach. And your agency could get the blame for any PHI mishaps by BAs, so make sure your agreements are watertight.

“It’s not uncommon for healthcare organizations to go beyond HIPAA requirements in their BAAs, using the document as the basis for service level requirements, too. If your BAA is that comprehensive, check for language about how you want your partner to demonstrate compliance, as well as what cyberse­curity requirements, if any, are specified,” says Grant Elliott, CEO of Ostendio and co-founder and president of the Health Care Cloud Coalition (HC3).

Tip: So, even if you’ve covered your bases with an initial BAA, reevaluate your contracts.

“If you’ve had the same standard contract for a while, review it,” Elliot says. Check to see whether you can audit the security program, whether there have been any amendments since the contract was drawn up and signed, and consider whether the contract needs any updates as cyberattacks become increasingly clever and frequent, he recommends.

Other Articles in this issue of

Home Health & Hospice Week

View All