By Jack Anderson
January 18, 2016
While it is probably self serving on the part of both of us, Daniel Schroeder, partner-in-charge of the information assurance services practice at the consulting firm Habif, Arogeti & Wynne agree and I agree that covered entities are asking for proof of compliance.
“To guard against data breaches, healthcare organizations must demand more proof of how their business associates are safeguarding patient data and mitigating related risks”, says privacy and security expert Daniel Schroeder. “Increasingly, covered entities are becoming more and more aware of these risks and are raising the bar on their business associates with respect to their expectations for them to be able to demonstrate and provide appropriate forms of evidence that they’ve done the right sort of things - and not just for HIPAA compliance - but also for effective risk management, Schroeder says in an interview with Information Security Media Group.
The question is what kind of proof is required? They may be happy with you filling our a questionnaire or checking off boxes on a HIPAA compliance check list, but more and more they want more and more. Like a copy of your most recent HIPAA risk assessment, or copies of written policies and procedures, or documentation of staff training. If they are really worried, suspicious, or both they may demand an on-site audit. Of course if there is a breach involved HHS and their enforcement arm, OCR will demand all of this and more.
Until September of 2013 business associates basically go a “get out of jail free” card. But now they have to meet the same standards as their hospital, clinic, and practice clients. Unlike their clients or business partners the business associates have little or no experience or expertise with HIPAA.
This why we developed Jumpstart. For the organization with 1-20 employees if offers an ability to get HIPAA compliant in 72 hours and to offer all the proof necessary to satisfy clients, business partners, HHS, and OCR. By using the “necessary and applicable” policy of HHS up to 35% of rules and regulations are judged unnecessary and inactivated at the beginning of the process. An initial risk assessment, followed by scheduling staff training, updating 12 policies and procedures, and then a second updated risk assessment meets the requirements for initial HIPAA compliance. On-going tasks are documented, building a history of compliance that builds a legal firewall around the company.
Take the Free HIPAA Risk Assessment at www.compliancehelper.com and see if Jumpstart can help you get HIPAA compliant in 72 hours.