The need for a structured Business Associate oversight program for data security risk management.
HIPAA and the HITECH Act have highlighted the importance of Business Associate (BA) security. Covered Entities (CEs) need to effectively manage Business Associates security risk, and BAs need to understand their compliance requirements and liability under HIPAA and HITECH for PHI.
The entire supply chain of PHI from CEs to BAs to BA subcontractors are now subject to compliance with the HIPAA Security Rule. Not only has the definition of BAs been expanded to include data transmission services like HIEs and RHIOs, but BAs now face dual liability – they have both
- contractual liability to CE for HIPAA compliance via Business Associate Agreements (BAAs) an
direct liability to the government.
Furthermore the July 14th, 2010 notice of proposed rulemaking (NPRM) modifying HIPAA under the HITECH Act clarifies that:
a lack of understanding is not a valid defense for HIPAA compliance violations.
Given the enhanced breach notification requirements, monetary penalties and increase government scrutiny, both CEs and BAs need to effectively manage security risk. performing an objective and technically astute security assessment.
HIPAA Risk Analysis
is an effective way to support a structured information security program
that mitigates security and compliance risk under HIPAA.