The anger and mistrust surrounding vendor credentialing has subsided. Vendors acknowledge that hospitals need some form of credentialing to minimize risk and liability. Providers, meanwhile, understand that out-of-control, uncoordinated vendor credentialing practices contribute to the vendor’s – and ultimately, the provider’s – cost of doing business. As a result, progress is being made toward bringing order to what has been a disorderly process. This was the message from Shawn Walker of Bay State Anesthesia – a key industry figure in the vendor credentialing issue – at this summer’s 2013 IMDA Annual Conference. (IMDA is the association for specialty medical distributors.)
The message was echoed at this summer’s Vendor Credentialing Summit in Alexandria, Va. There, the Coalition for Best Practices in HCIR Requirements released its “Joint Recommendation for Healthcare Industry Representative Credentialing Best Practices.” (Read them on the Coalition website, www.hcirbestpractice.org.) The Best Practices should be read by everyone in the supply chain – providers, suppliers and vendor credentialing organizations.
Among the issues raised in the document are business associate agreements. It seems that some healthcare providers are beginning to demand their sales reps sign these agreements as a matter of course. JHC readers should expect their sales reps – and the distributors and manufacturers who employ them – to push back. That’s because business associate agreements are only required of individuals who have access to patients’ confidential protected health information. Most of the reps who call on you do not.
Barbara Kramer, Esq., legal counsel for IMDA, points out that the rise in requests for business associate agreements probably stems from the fact that the U.S. Department of Health and Human Services, Office of Civil Rights, recently published its final rule regarding revisions to HIPAA. One of the revisions requires “business associates” to have business associate agreements in place with their subcontractors. In other words, a business associate’s subcontractors are now also considered business associates.
“The practical effect of this revision is that healthcare providers must now obtain contractual assurances from their business associates that they will protect [protected health information], and these business associates must do the same with regard to subcontractors, and so on, and so on, no matter how far downriver the [protected health information] flows,” she says.
But reps who do not have access to confidential health information, or only have access to that information in order to help a doctor treat a patient (for example, to determine what type or size of device is required for a patient), are probably not considered business associates, and should not be required to sign a business associate agreement, says Kramer.
Reps who sign a business associate agreement are agreeing to:
- Have contracts with subcontractors that comply with the HIPAA rules.
- Keep records and submit compliance reports to HHS.
- Limit the use and disclosure of protected health information to the minimum necessary.
- Protect [protected health information] from security breaches and notify a covered entity of breaches of unsecured information.
- Disclose protected health information when requested to allow a covered entity to comply with people’s requests for their medical records.
- Provide accountings of disclosures of protected health information upon request.
In addition, by signing a business associate agreement, reps become directly liable for any HIPAA violations.
Some providers are directing their sales reps to sign business associate agreements “just in case.” If you’re one of those providers, don’t be surprised if you get some pushback.