A "Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now
 

A "Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now

on

  • 303 views

A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking ...

A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic......

Statistics

Views

Total Views
303
Views on SlideShare
302
Embed Views
1

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A "Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now A "Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now Document Transcript

  • A “Sea Change” in HIPAA Security – WhyBusiness Associates Should Be Pro-ActiveAbout Security Risk NowA recent report suggests that nearly 40% of data breaches of protected health information occur atthird party companies entrusted by health care providers with sensitive data. A striking statisticparticularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and securityamong such “business associates.” While providers generally insist these obligations be included intheir contracts with outside vendors, the 40% breach statistic shows just how ineffective suchagreements have been, without the benefit of additional enforcement or oversight.It is against this backdrop that the Office of Civil Rights (OCR) determined that more needed to bedone in this area. Their most recent recommendation calls for business associates to be held directlyliable for the breach of protected health information (PHI) under HITECH Act sections 13401 and13404. This change will go into effect 12 months after the issuance of the Omnibus NPRM (expectedin the next few months). Thus, in mid-to-late 2012, business associates and their subcontractors willhave the same obligations as covered entities under the HIPAA Security Rule — and therefore mustconduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for HealthInformation Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability tobusiness associates “a sea change” in the regulations.So what’s a business associate to do? Wait for the final rule to go into effect? Wait 12 months afterthat? At Redspin, we’d suggest a more proactive approach. A sea change, after all, is an idiom for abroad transformation, not generally a time for a waiting game. We see a healthcare market wherebusiness associates will need to provide proof of robust, effective info-sec programs as a pre-requisite of doing business with providers. On their part, forward-thinking BA’s who invest in their ITsecurity today, will get the jump on being able to promote IT security as a competitive differentiatorin the future. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM