Another way to manage suppliers is to ensure the use of business association agreements (AAA) that HIPAA requires. These agreements ensure that suppliers understand their rights and responsibilities for the use and disclosure of PHI. Part of the reason he prefers to put foreign information into a service contract is responsibility. If a vendor does not meet the obligations set out in a BAA and the supplier knows, the OCR could hold the practice liable after an infringement, Holtzman said. Cerner asks subcontractors to ensure the competence and eligibility of its employees who provide services to Cerner`s clients. Subcontractor staff are required to conduct background checks on the services provided; these substantive tests must be at least as prescriptive as the background testing required by Cerner for Cerner employees. 4. Ask the counterparty to report to the covered entity any use or disclosure of information not included in its contract, including incidents that constitute violations of unsecured PHIs. To illustrate the importance of an BAA, an orthopaedic clinic in Raleigh, N.C. agreed to pay $750,000 to pay for the costs it may have violated the HIPAA data protection rule by transmitting protected health information (PHI) to a potential business partner for approximately 17,300 patients, without prior enterprise agreement. Under the HITECH Act and the HIPAA omnibus rule, counterparties to covered companies must comply with most of the data protection and security rules applicable to covered businesses. HIPAA rules make covered companies responsible for their own data breaches and many things over which their trading partners have direct control. When a covered company is controlled, its business partners may be required to provide certain files or documents within a very short period of time, as required by HIPAA.

The BAA acts almost as a Service Level Agreement (SLA) that ensures that these and other needs are immediately met. Cerner manages change management processes based on the best practices of ITIL`s information infrastructure library, which focus on the nature of change and the level of risk associated with this change. Cerner`s guidelines require Cerner to communicate with the relevant non-routine changes to a client`s system. Changes are validated, verified and given permissions corresponding to the risk of change. Cerner uses currency advice (CABs) to verify significant changes with known downtime or increased risk.