HIPAA Blog Posts: HIPAA Business Associates
“Breaches on average cost an organization $4.1 million or $197 per record breached.”
-- Source: Javelin Research
“Data Breach Defense 2009”
Despite your best efforts the chance of a breach is relatively high. So you should have a breach notification plan which should include outsourcing to a company focused on that service.
Top 5 Intriguing Risk Articles of 2009
by Karen Coburn, President & CEO, Cutter Consortium
This week, we're taking a look back at the five most intriguing articles published in Cutter's Enterprise Risk Management & Governance practice over this past year.
Seven different groups describing HIPAA HITECH is like Seven Blind men describing an elephant.
The Compliance Meter (tm) displays the level of ongoing compliance for a facility needing to meet HIPAA HITECH Act privacy and security standards.
What are the responsibilities of a covered entity for their business associates' compliance? Differences of opinion abound.
Denial is the first stage for many small covered entities and business associates when confronted with the HITECH Act. Finding first small steps towards compliance are important. Getting started is crucial.
Business Associate Agreements are not enough! Covered entities must have an active program for ensuring that their business associates are compliant.
By applying the same rules to business associates that formerly only applied to covered entities HITECH has dramatically changed the playing field. First, a lot of business associates are unaware of these new requirements. I tried an experiment at a recent trade show by asking everyone I encountered what they knew about the HITECH Act and got a universal "blank stare" response. Secondly, many ot the business associates do not have trained compliance, privacy, or security staff. And finally because the covered entities have responsibility for their business associates they need to demand a way of confirming that their business associates are in compliance on an ongoing basis.
All of this requires a rethinking of the compliance process. As experts at helping small healthcare entities attain and maintain accreditation we see many similarities. The business associates need tools, and trained experts to assist them in attaining and maintaining compliance and then they need an ability to report this to their covered entities. Take a look at the demo at www.compliancehelper.com to see how this can be accomplished.
ARRA or the Stimulus Bill allocates $20 billion for expansion of the use of electronic medical records (EMR) but there are some new strings attached, namely The HITECH Act. This stands for Health Information Technology Economic and Clinical Health Act which we will all gratefully call the HITECH Act. Essentially it raises the bar for protection of patient healthcare informatio (PHI) particularly for what are termed, business associates.
Business associates are all the companies that do business with covered entities which posess PHI. Technically it is only those who might have access to PHI but you can be sure that the covered entities will error on the side of caution because they are now responsilbe for their business associates. In the past all the covered entity needed was an agreement signed by the business assoicate essentially promising to "be careful". Now if there is a breach by the business associate the covered entity is responsible also. A breach is any exposure of PHI to unauthorized entities.
"Willfull Neglect" a somewhat ambiguous term that will make the covered entities even more paranoid is included in the law. It means that passive won't cut the mustard, the covered entity must have an active program to ensure that their business associates are in compliance with the new HIPAA HITECH Act.
Next we will discuss what compliance entails for both the covered entity and business associate.
Our privacy and security expert and partner Rebecca Herold (The Privacy Professor) has many erudite and scholarly articles, books, webinars, tv programs blogs, and tweets on these subjects at www.privacyguidance.com/ but I will try to add the layman's voice to the subject in my blog.