[ Thursday, March 24, 2016 ]
Phase 2 Audits will impact BAAs:
Jeff [9:49 AM]
that's Modern Healthcare's take
. Maybe; in my experience BAAs are generally in pretty good shape. Obviously, there is a broad and wide diversity of BAAs, from the super-simple "just the facts" recitation of the regulatory requirements to the "show me your safeguards" agreements, where the covered entity gets deep into its vendors' operational minutia. But for the most part, except for cases where there's no BAA at all, generally the BAAs that are out there are sufficient.
And for what it's worth, I'm not a big fan of the second type of agreement. Covered entities can't turn a blind eye to whether they can trust a vendor, but safeguards are scalable, and it's not the covered entity's position to make a determination about what safeguards are appropriate for a BA. Additionally, if it takes on that obligation and either doesn't look closely or doesn't see an insufficient safeguard, the covered entity could be liable for the breach caused by that insufficiency.
Blogger: HIPAA Blog - Edit your Template