What can we do to build security into our business associate agreements?
HIPAA Weekly Advisor, October 9, 2006
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Include language that requires the BA to implement reasonable and widely accepted security controls. In addition, require BAs to perform ongoing security assessments and audits. If necessary, build on this by reserving the right to inspect the BA's information security systems at any given time.
Also, outline what will take place when you suspect or know that the BA has exposed or compromised ePHI. This doesn't mean the BA has to notify you of every single port scan or attempted breach. That's unrealistic, especially if the attacks are successfully blocked by a firewall, intrusion-prevention system, or other access controls. It is reasonable, however, to require notification as part of the BA's security incident response and disaster-recovery procedures.
There are several sample BA agreements available on the Internet. Review these and see what others are doing. Remember that every covered entity's needs are unique. Have legal, management, and information security personnel review any agreement you create.
Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Identify modifiable risk factors to prevent patient falls
- Hospitals are not bound by InterQual criteria for determining patient status
- Searched