Third party compliance is a smooth experience in Accountable, where you can address everything involved from one central section labeled 'Third Parties'.
Contents of this Article:
Defining Business Associates and other vendors
Navigation within Accountable to achieve third party compliance
Upload or Execute a BAA (Business Associate Agreement(s))
Initiate a third party questionnaire
A Helpful + Short Video Defining Business Associates and 'Other Vendors':
Within the below video, I define what makes an Organization a Business Associate, along with a discussion about 'Other vendors'. Check it out - I hope you find it helpful!
Definitions
Before diving into the application, or navigation, it is worth taking a moment to define various elements of this feature.
First, we will define a Business Associate as any person or organization that you pay money to, to complete a certain task. The task itself places the other company in a position where they cannot help but come into contact with protected health information. Usually this is why you're paying them (for example: an IT professional).
There is nothing wrong with sharing phi in this manner. However, there is a need to have a signed business associate agreement between both parties.
If your company type is that of a business associate, please be aware that you must concern yourself with both sides of the aisle. What I mean by that, is that not only must you make sure that the paperwork mentioned here is in place, you need to make sure that it is signed for both your clientele (covered entities) as well as business associates 'downstream' to yourself.
If your company type is that of a covered entity, please be aware that you should be concerning yourself only with 'downstream' Business associates. No agreement like a BAA is ever necessary for a covered entity to share PHI for the furtherance of the health of the patient to another covered entity (you may need an authorization form but never a baa).
'Regular' Third Party Vendors
There are also people who fall into the category of being a third party vendor, however, they are not quite someone you can deem a business associate. I like to call them, 'regular vendors.'
A regular third-party vendor is a vendor whom you are paying for a specific task, but the task itself has nothing to do with protected health information. However, because this regular vendor is inside of a medical facility, it's not crazy to think that they may become coincidentally exposed to PHI. For this reason, it is best to have a regular vendor sign a confidentiality agreement.
A Different Approach
It may be unreasonable to request this Confidentiality Agreement be completed in a digital fashion every time a situation pops up where you need one quickly (For example, someone is carrying a heavy box for you and you need a CA from them. Am I supposed to ask them to log into Accountable?).
Sure, you could fire up your computer, remember your password, build them a vendor profile and ask them to sign a legal document when all they want is to avoid a spinal injury - -
OR
You could head to 3rd parties > Agreements > Select the ‘View Templates’ button in the page banner (the banner is blue in color) and print off a stack of these agreements to keep at the Front Desk for just this situation.
Then, once a month, set yourself a calendar reminder where you say, ‘Take 20 minutes to upload confidentiality agreements to Accountable for this month.’
You upload the confidentiality agreements collected since the last time you did this, shred the original and you have a nice neat, contained place to ensure your compliance with ‘Regular Vendors’.
Navigation:
Go to Third parties on your left-hand side
Then, Manage all to create a third party profile
A profile for each third party (as seen below) is necessary to perform third party compliance management in Accountable.
In the development of the third party profile, you'll be asked the following questions:
The company name
Their website
Feel free to leave their third party type as partner
Then you will list the services provided by the business associate
Please also list the data stored by this business associate on your behalf
Please mark the risk level as low
Under the header of contact information, the person who is building this profile will want to list the information for their person of contact at said third party's office.
Last click the button in blue labeled create third party profile in order to generate the profile.
Great job, you just created your first third party profile!
Upload or execute a BAA:
Now that we have constructed the third party profile, it is time to populate it!
Go to 'Third parties' (on the left-hand side)
Then, Manage All
Click the name of the Organization to bring up their specific profile
If you have a BAA you signed in the past with this company, scroll to the bottom to see where to upload that
You can also execute a BAA directly from inside Accountable! No paper, no ink, fuss or muss. Both parties can e-sign this agreement, which will reside inside of Accountable when signed by both parties.
Initiate a Vendor Risk Questionnaire:
After executing a BAA, there is a bit more to do for those of you who are Covered Entities. If you are a Business Associate reading this section, please go up a tad or click the link to read the discussion on 'Regular Vendors'.
Go to third parties and select the Organization's profile by clicking on their name.
When you are inside the third party profile, utilize the tab labeled ‘Risk Questionnaire’ to send the third party a short audit to check out their security posture.
Note - A third party risk questionnaire is something that CE's are required to send to BA's. It does not work the other way around, though. BA's would not survey CE's.
You’re done addressing 3rd parties for at least a year, when you should review any BAA’s for ‘material changes’ that constitute setting forth a new BAA.
✅ Check out more Accountable Tips and Tricks articles, like this one on utilizing Accountable's policy and procedure templates
📫 Still have questions? Please email us! It will be our pleasure to help you!