By Jack Anderson
May 9, 2013
A key question covered entities should be asking their business associates is, When did you do your last HIPAA risk assessment and did you remediate the risks? This is also a critical question for the covered entities who have received stimulus funds by attesting to meeting the requirements for meaningful use. Core Item 15 requires that the provider do a HIPAA risk assessment, remediate the risks identified and and put an on-going risk management program in place. Recent audits of those attesting to meaningful use revealed that a majority did not do a HIPAA risk assessment let alone the remediation and ogoing risk management program.
In this comprehensive article the authors make this very clear: “In order to meet their responsibilities, business associates are now required to perform risk analyses. Such risk analyses must be accurate and thorough assessments of potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic PHI that the business associate creates, receives, maintains, or transmits. The Security Rule also compels corrective actions to minimize any identified risks and vulnerabilities.”
Covered entities can no longer afford to turn a blind eye to the compliance activities of their business associates. They must have an active program to monitor the compliance of their BAs on an ongoing basis and the BAs have to be prepared to provide proof that they are compliant. The BA Tracker program will identify high risk BAs and the Prepare/Care programs provide a cost-effective and efficient method of helping the BAs get compliant, stay compliant, and prove compliance, with the Compliance Meter (tm).