By Jack Anderson
May 27, 2016
Yes there are shining examples of both CEs and BAs meeting the highest standards for security and privacy. They stand out because of the the general lack of compliance by both. The publicized incidents of breach are the tip of the iceberg because most breaches are not discovered and or not reported.
Think about the old days or misrouted faxes. Multiply that by thousands of misrouted electroic messages containing PHI. Now think about smart phones, thumb drives, laptops, Ipads, and other mobile devices that are lost or stolen every day. Many of them contain PHI.
If you have BAs of course they need to sign a BA agreement but it is in your best interest as well as theirs to go a few steps further. Educating them about the HIPAA requirements would be a prudent move. They need to understand that the three pillars of HIPAA compliance are updated training, updated policies, and an updated risk assessment. By my emphasis you can see updating is critical. Compliance is a process and documentation of on-going compliance actitivities protects the BA which in turn protects you.
A simple on-line security awareness training video with a quiz and certificate of completion would go a long ways toward helping them understand and therfore to comply with HIPAA requirements.
Offering them a chance to attend a webinar on HIPAA risk assessment that clearly defines the characteristics of an acceptable riskk assessment. They need to know that a HIPAA checklist will not suffice.
Anything that draws their attention to the fact that you are serious about HIPAA compliance will cause them to be serious as well
Contact me at jack@compliancehelper for more information.