With HITECH extending a Covered Entity's liability out to their Business Associates, how are you ensuring your Business Associates are compliant in order to mitigate risk to your organization?
You could similarly ask HOW does a CE maintain the "satisfactory assurances" required by the HIPAA Security Rule and the Privacy Rule. Having the contractual right to audit the BA's security procedures may only create more liability if it is never used, no audits or reviews done. Most BA's would not be eager to share their risk analyses with CE's. It is not realistic that you would be able to perform an onsite audit of all of your BA's. The only logical way is to survey them and ask for their Privacy and Security Policies and Procedures that would include training and how they protect data along will all of the rest of their compliance plan. The real issue is the storing of this data along with your data. The bottom line to a compliance plan is not only what you put in it to show due diligence but making sure the right people in your organization have access to it. There are cost efficient ways to do this and if you are not doing it and your BA is breached you can assure they will find you in willful neglect.
An alternative to actually requiring a copy of an annual risk assessment or conducting your own audits would be to require an annual attestation by an accredited third party auditor that confirms compliance for the BA. This might be acceptable to a BA who is reluctant to share actual audit data. Put a process in place to have the attestation reviewed by someone in your own IT Security Department, or compliance office, and keep it on file. The costs for such an exercise might likely be shared, but if the BA does business with a bunch of healthcare organizations, they'll likely absorb this as an overhead cost since they'd be required to do this across the board.
No comments:
Post a Comment