A recent posting of a resolution agreement (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH) may trigger CEs to get BAAs in place with non-BAs as I think this is an area that for whatever reasons, people get wrong/confused/etc…even in cases where the question of whether an entity is a BA or not is nothing but black and white…but that's OK…job security in one form or another (and in some cases, for the person who may be hired after the previous HIPAA compliance professional may be let go as a result of the following).
The resolution agreement and the underlying situation is so timely because over the last two weeks I posted a question that asked about whether it was permissible to share PHI with a BA without a BAA or other arrangement in place. Many people onlist and offlist suggested that because the sharing fell under TPO and because BAs were now liable under HIPAA, it was OK to share the PHI.
Hopefully if my offlist responses to many of you and my onlist posting did not, the resolution agreement may serve to convince you otherwise.
So now here's my "let's see how honest people can be on a Friday" survey with 2 questions for people to offer on their own current state of BA compliance and to offer their opinion on the overall rate of compliance in having BAAs in place.
I will post the results a little later today as I am holding a session open to all on how to download the LEIE and EPLS to conduct exclusion checks using Excel.
Survey link: https://www.surveymonkey.com/r/R6JBMW2