HIPAA "Gotcha" Questions for Business Associates

September 25, 2015

Gotcha | Definition of gotcha by Merriam-Webster
www.merriam-webster.com/dictionary/gotcha
Merriam‑Webster
Full Definition of GOTCHA. : an unexpected usually disconcerting challenge, revelation, or catch

Getting a letter or email from an auditor, business partner or client requesting a written copy of your latest HIPAA risk assessment, policies and procedures, and documented staff training would qualify as an unexpected disconcerting challenge. Based on history many business associates can expect this in the near future.

In a recent article in Healthcare Information Security by Adam Greene, he warns that business associates will soon be the subject of HIPAA settlement agreements. As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was a senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.

He also points out that the lack of a comprehensive and timely risk analysis has been at the center of many OCR HIPAA settlements.

“If you’re a business associate, look at whether you have a risk assessment … You want to make sure that when you see a new settlement about a mobile device being stolen - do you have a risk assessment that identifies the risk of one of your workforce members having a mobile device that has PHI … and if it gets stolen … what have you put in place to reduce that risk?”

The gold standard for a HIPAA risk assessment is the NIST protocol. Using the NIST protocol we have developed the Jumpstart process that can get a business associate HIPAA compliant in 72 hours.

Don’t be a gotcha victim, get compliant, stay compliant and prove compiance with Compliance Helper and ACR2 Solutions.


Back to News