|The Health Record Review
by Jeff Rowe, Editor
Posted on Tue, May 15, 2012 - 10:08 am
So you’ve been working hard to firm up your IT security protocols and systems, and you’re feeling good about the progress you’ve made.
Now, how about your myriad partners who also have access to your patients’ health information?
As this observer points out, for many providers that’s a different story altogether. He says that “while the HIPAA rules have been around for a while -- the Security Rule's compliance date goes back to 2005 -- hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.”
“Business associates”, he notes earlier, are defined in the HIPAA Privacy Rule “as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity,” aka the provider.
So what can and should providers do about their business associates’ attention to data security?
According to one health care attorney, providers “can create a business associate agreement that includes indemnification to help cover the notification costs involved if a business associate causes a breach.”
But other HIPAA experts suggest going beyond the standard third-party agreement. One IT security company CEO promotes the idea of a “comprehensive vendor management program,” which would include, among other things, “a process for vetting vendors during the request-for-proposals or selection process,” a security addendum to their business associate agreement “that spells out data protection requirements -- such as how data should be transferred -- in more detail,” and an “incident management plan” that spells out the responsibilities of both the provider and the associate should a breach occur.
In short, no matter how far down the road you are towards having a solid data protection program, you need to look to either side to make sure your associates are right there with you.
So, given that it’s time for a new poll question, tell us: Are you confident that your business associates are taking care of patient data?