A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic......
Call Girls Coimbatore Just Call 9907093804 Top Class Call Girl Service Available
A "Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now
1. A “Sea Change” in HIPAA Security – Why
Business Associates Should Be Pro-Active
About Security Risk Now
A recent report suggests that nearly 40% of data breaches of protected health information occur at
third party companies entrusted by health care providers with sensitive data. A striking statistic
particularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and security
among such “business associates.” While providers generally insist these obligations be included in
their contracts with outside vendors, the 40% breach statistic shows just how ineffective such
agreements have been, without the benefit of additional enforcement or oversight.
It is against this backdrop that the Office of Civil Rights (OCR) determined that more needed to be
done in this area. Their most recent recommendation calls for business associates to be held directly
liable for the breach of protected health information (PHI) under HITECH Act sections 13401 and
13404. This change will go into effect 12 months after the issuance of the Omnibus NPRM (expected
in the next few months). Thus, in mid-to-late 2012, business associates and their subcontractors will
have the same obligations as covered entities under the HIPAA Security Rule — and therefore must
conduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for Health
Information Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability to
business associates “a sea change” in the regulations.
So what’s a business associate to do? Wait for the final rule to go into effect? Wait 12 months after
that? At Redspin, we’d suggest a more proactive approach. A sea change, after all, is an idiom for a
broad transformation, not generally a time for a waiting game. We see a healthcare market where
business associates will need to provide proof of robust, effective info-sec programs as a pre-
requisite of doing business with providers. On their part, forward-thinking BA’s who invest in their IT
security today, will get the jump on being able to promote IT security as a competitive differentiator
in the future.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM