How should we evaluate business associate security?
HIPAA Weekly Advisor, December 12, 2005
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
It's easy to document information assurances in a contract, but it's quite different when it comes to actually implementing the proper processes and controls. In fact, it's common for HIPAA lawyers and compliance officers working for business associates to agree to protect ePHI and not once involve information technology, security, and other critical personnel to ensure such claims can be backed up. This creates a dangerous situation for everyone involved.
According to the security rule, covered entities need to obtain satisfactory assurances that business associates will appropriately safeguard information. There's no way to obtain such satisfactory assurances without looking into the business associate's information security policies, procedures, and technical safeguards in the form of an
At a minimum, conduct an analysis of a security audit or create an assessment report. If it makes business sense, take it one step further and perform an assessment of the business associate's information security framework.
Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- What does case-mix index mean to you?
- HHS task force: Consider privacy, security with text messages
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Searched