Are you a business associate? Well if you are you better take notice. The OCR now audits healthcare business associates and between the possible fines and costs of responding to a data breach, business associates need to be prepared.
How to be a successful business associate
HIPAA (and your BA agreements) will require your organization to put in place three kinds of safeguards for PHI:
- Administrative. This includes doing a risk analysis to understand what kinds of PHI you have, how you use it, where it could be vulnerable, and what the impact could be if it were lost, stolen, or exposed. Based on a risk analysis, you will develop policies and procedures to protect that PHI and to outline your response in case of a breach or suspected breach.
- Technical. These are safeguards built into your IT systems and procedures—even the ones you may have outsourced to another vendor such as an application services or network services provider. (Remember that the safeguards may include BA agreements between you and those providers.)
- Physical. These include measures such as limiting access to your facilities, systems, and data storage areas to authorized personnel, having security policies for use of laptops and mobile devices; and making sure that materials are recovered and access is taken away when someone leaves your organization.
If you are a small or mid-sized organization, as are many BAs, chances are you don’t have data privacy or security experts on staff, and starting on all these measures may be daunting. The best place to start is with the risk analysis. The results will show you where you are most vulnerable and where to concentrate your efforts and your spending. Guided by the risks, you can address the most critical areas first and then grow your security programs as necessity dictates and as time and budget allow.
PHI security is a lot to take on, especially in this age of cyber attacks and daily breaches. While it takes resources to put BA agreements and new security and privacy procedures in place, in the end, they will benefit your business, your business partners, and the patients you both serve.
You can read the full article here: How to succeed as a HIPAA business associate