Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>

BA Requirements for Compliance with HIPAA Security Rule

■ BAs must be in compliance with the HIPAA Security Rule standards and implementation specifications for administrative, physical, and technical safeguards.

■ Compliance means that BAs will likely need to do more in terms of securing PHI. Even though BAs are contractually required to implement appropriate “administrative, physical, and technical safeguards” to protect electronic PHI, the measures, policies, and procedures that a BA currently has in place may be insufficient for HIPAA compliance. The HIPAA Security Rule contains a series of very specific standards and implementation specifications. BAs must comply with each of the specific standards and implementation specifications under HIPAA.

■ The first step in compliance is understanding the HIPAA Security Rule requirements and conducting a “gap analysis” to identify the areas where the BAs’ information security systems and programs fall short of meeting the HIPAA Security Rule requirements. The Checklist preceding this chapter should help guide BAs in compliance efforts under the HIPAA security breach notification requirements.

■ HHS annually issues additional guidance on technical safeguards that most appropriately implement the Security Rule. Therefore, compliance with the HIPAA Security Rule will require ongoing evaluation and updates.

■ Consider HIPAA and HITECH compliance with respect to use of cloudbased resources offered by a cloud service provider (CSP). CSPs generally offer online access to shared computing resources with varying levels of functionality depending on the users’ requirements, ranging from mere data storage to complete software solutions (e.g., an electronic medical record system), platforms to simplify the ability of application developers to create new products, and entire computing infrastructure for software programmers to deploy and test programs. Common cloud services are on-demand Internet access to computing (e.g., networks, servers, storage, applications) services. BAs that are CSPs or utilize CSPs in connection with their services for CEs need to take actions to ensure compliance with the Security Rule.

■ BAs should ensure that contracts with subcontractors contain appropriate language to address information security and protect BAs from costs and liabilities associated with subcontractors’ security breaches or other violations of contract terms related to information security. BAs should consider developing an information security due diligence questionnaire for potential subcontractors to evaluate their ability to protect PHI and other valuable data.

Statutory Liability for Business Associate Agreement Terms

■ BAs are directly liable under HI PAA for violations of the terms of their BA As.

■ BAs should evaluate their current policies, procedures, and processes applicable to their ability to comply with each provision in their BAAs to ensure they are robust and will facilitate compliance.

■ Training of personnel and evaluation of existing policies and procedures should be undertaken critically. Policies on employee sanctions for violations of HIPAA, the HITECH Act, and requirements in BAAs should be evaluated and strengthened.

BAA Compliance with HITECH Act Requirements

■ BAAs should include the HITECH Act requirements for BAs, including compliance with the HIPAA Security Rule standards.

■ With the public exposure that may result from breaches of unsecured PHI and the implications for their businesses, CEs typically require a broad range of business issues associated with the HIPAA security breach notification requirements. As a result, BAAs have become more complex. Responsibility for costs associated with security breaches and risk mitigation strategies in the event of a security breach are key issues in BAAs. CEs often press for broad indemnification from BAs. CEs may require BAs who are the subject of a security breach to make the required notifications on behalf of the CEs and to be responsible for all costs associated with a security breach.

■ BAs should consider drafting their own form amendments and should create or revise their existing template BAAs to incorporate requirements of the HITECH Act. This will allow the BAs to create BAAs that contain the provisions required by law and yet are drafted to be more favorable and less burdensome to the BAs. This may help to minimize negotiation of terms that are not required by law, but that CEs will insert into form agreements to benefit the CEs and to reallocate risk to the BAs.

■ These agreements should reflect the applicable obligations of the BAs. BAs should also consider inserting appropriate language to address information security and protect the BAs from costs and liabilities associated with subcontractors’ security breaches or other violations of contract terms related to information security.

<<   CONTENTS   >>

Related topics