By Jack Anderson
November 4, 2013
This is from an interview with David Flynn, health information technology officer at Symantec. in an interview with Tom Field of Healthcareinfosecurity.com
Business Associates
FIELD: The final topic under potentially most over-looked, and perhaps the biggest one, is business associates. What are organizations missing there?
FINN: I think that’s the biggest topic, and for once I have to tell you I thought the providers were not going to get the worst of it. This was directed at the business associates by making them accountable to the same level of protection as a covered entity and subject to the same prosecution under the law. I think Omnibus turns the world upside down for a business associate.
Unfortunately, what we’re seeing fall to the covered entities is education for these business associates, explanations of very complicated laws, even training of business associates and subcontractors. The poor covered entity still doesn’t get a break here, and I’m starting to hear a lot of right to audit from the providers, but we need to get realistic here. I’m not aware of any provider that has the time, money or staff to go audit all their business associates, or even key ones. You have to make them do it and you have to get the results from their efforts or their third-party audits. It’s going to be imperative that covered entities monitor and know what the business associates are doing, but they’re not going to realistically be able to do that themselves.
The question as it is with all these issues is, do you want to just check the box and protect yourself legally and maybe shift some of the financial liability, or do you really want to protect your patients’ information when you provide it to a business associate? That gets into the whole risk management question.
We agree that covered entities can’t do this themselves so we developed BA Tracker to help them. Take a look at www.compliancehelper.com/batracker or contact me at jack@compliancehelper.com for more information.