By Jack Anderson
June 28, 2013
The evidence is mounting that managing your business associates is a critical task for both covered entities(CE) and business associates(BA). In this thorough discussion by Kimberly Wong of Baker, Hostetler, LLP she says the following:
“At the OCR/NIST 6th Annual Conference on Safeguarding Health Information: Building Assurance through HIPAA Security, the following issues were recommended for covered entities to address with their cloud computing vendors (and business associates generally):
Where is PHI located?
How are break risks minimized? Does the vendor have an incident response plan?
How is breach notification prevented? Does the vendor encrypt data at rest and in transit?
Does the vendor have an incident response plan?
How does the vendor track access to and modifying of PHI? Is there audit logging and monitoring?
Does the vendor segregate data to prevent unauthorized access to and disclosure of PHI?
How is PHI disposed of at the end of the contract? What is the vendor’s policy and procedure on data retention and destruction?
How does the vendor prevent the threat of knowledgeable insiders? Does the vendor have internal security procedures (e.g. employee background checks, training, method for monitoring physical and logical access)?
In order to monitor business associates, post Final Rule, health care industry trend demonstrates that covered entities are adding pre-contract risk/controls assessments, enhancing contractual safeguards and business associate agreements, and adding/enhancing post-contract audits. With liability flowing downstream, covered entities and business associates must complete their due diligence before entering into contracts with vendors who may maintain PHI.”
If you don’t already have a tool like BA Tracker you need to get one soon. As the number of legal opinions mount the pressure to do something increases. If you can’t answer the questions in this article give me a call and I will show you how BA Tracker can handle this cost effectively and efficiently.
Jack Anderson
866-984-3573 ext 709
jack@compliancehelper.com