Evaluate Your BAs’ HIPAA IQ Before a Breach Happens

Healthcare Partner Shannon Hartsfield was quoted in AAPC's March Health Information Compliance Alert about ensuring that your business associates (BAs) and vendors understand the importance of HIPAA compliance. A BA "is any person or entity that performs a function or activity on behalf of the practice involving the use and/or disclosure of protected health information (PHI) that is not a part of the practice’s staff."

"HIPAA requires covered entities and business associates to obtain ‘satisfactory assurances’ that their vendors that need access to protected health information will safeguard that information appropriately," Ms. Hartsfield said. In the past, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) "has indicated that companies don’t necessarily need to do much more than obtain a written business associate agreement from the vendor that complies with HIPAA and conduct a risk analysis," she adds.

However, as part of the HIPAA Security Rule, covered entities and BAs are required to "conduct an 'accurate and thorough’ analysis of the risks and vulnerabilities to electronic protected health information (ePHI)," Ms. Hartsfield said. “OCR has indicated that customers may ask vendors for ‘additional assurances of protections for the PHI, such as documentation of safeguards or audits, based on their own risk analysis and risk management or other compliance activities.'"

READ: Evaluate Your BAs’ HIPAA IQ Before a Breach Happens (See page 2) Copyright AAPC