By Jack Anderson
March 27, 2013
In a recent article in HealthCareITNews Diana Manos, Senior Editor, interviewed Jorge Rey, and associate principal and the director of information security and compliance for Kaufman, Rossin. He stated, “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.”
This sounds like an easy task for providers or covered entities as they are described in HIPAA HITECH since they have always been required to keep track of their business associates (BA). However many CEs only track when the BA signed a BAA. They don’t know what PHI they are accessing, how they are accessing it, how they are processing it, and most importantly how they are protecting it. For several years health care law firms have been telling their CE clients that all they had to do was have a BAA in place and they were OK. HIPAA has always stated that they must get “satisfactory assurances” that their BAs are compliant but that has mostly been ignored. In the last six month many of the same law firms have started saying that a CE must monitor or manage their BAs more actively.
Until know there have not been any tools for the small to medium size CE to use to monitor their BAs. Most use some kind of spreadsheet. Mac McMillan a leading HIPAA consultant recommends that you start by looking at your accounts payable list. There are probably some BAs lurking their that have not been identified nor have they signed a BA agreement.
The next step would be to survey the BAs to determine what PHI they access, how they access it, how they store it, and how they protect it. A lot of work for the CE, but there is a better solution.
Engage Compliance Helper and their new tool, BA Tracker. You can see a complete explanation of how it works at **www.compliancehelper.com/batracker **
Here is the link to the article: http://www.healthcareitnews.com/news/get-set-new-hipaa-has-teeth?topic=02,29,18