HIPAA HITECH Compliance:Trust but Verify
The prevailing practice seems to be to try and shift the responsibility to the business associate (BA)by means of a business associate agreement (BAA). The fact that the BA accepted or signed the BAA is not a reasonable assurance that they have indeed complied. They may not even know what they need to do to be in compliance. All the recent surveys reveal a huge information gap between the covered entities and the business associates.
At a minimum, it seems to me, the CE must set standards for the BA that include some method of demonstrating their compliance. In the accreditation world sometimes this means having the BA send copies of P&P or of course CMS or the accrediting agency doing an on-site survey. This would be difficult at best for most CE. Clearly, a connection between the CE and the BA would be best, allowing them a window into the compliance level of the BA. We have solved this with our Compliance Metertm, but there are other solutions out there. We have been talking with the folks at ACR2 Solutions Inc. who have an elegant solution for the CE. It is able to see the gaps in security including insufficient P&P at the BA level. We are talking about working with them to solve this by helping the BA get compliant.
The goal is still get compliant, stay compliant, prove compliance. Trust but verify.
Subscribe via RSSCategories
- HIPAA HITECH Act
- HIPAA Covered Entity
- HIPAA Business Associates
- Health Information Privacy
- HIPAA Compliance Online Software
- HIPAA Compliant Checklist
Recent Blog Posts
- Business Associates Need HIPAA HITECH Compliant Policies and Procedures, Now/1
- Minnesota Attorney General Sues Business Associate for HIPAA HITECH Data Breach
- HIPAA HITECH Data Breach Costs Small Business Associate $300,000
- HIPAA HITECH Rules De Facto Standard?
- HIPAA HITECH Data Breach: $1000 Per Patient?
- Senate Hearings Focus on Lack of HIPAA Enforcement, Final HITECH Rule
- more from the blog
