Managing HIPAA / HITECH Act Risk in ePHI Supply Chain

Like this? Share it with your network

Share

Managing HIPAA / HITECH Act Risk in ePHI Supply Chain

  • 797 views
Uploaded on

NPRM has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security controls of everyone else in the chain. Here's why...

NPRM has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security controls of everyone else in the chain. Here's why...

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
797
On Slideshare
797
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Managing HIPAA / HITECH Act Risk in ePHISupply ChainHITECH and the notice of proposed rulemaking (NPRM) published in the Federal Register July 14,2010 significantly impact how Covered Entities (CEs) and Business Associates (BAs) manage health ITsecurity risk under HIPAA. It has, in effect, created an ePHI supply chain in which everyone on thechain needs to worry about the security controls of everyone else in the chain. Here’s why: 1. Business Associates: the definition of a BA is expanded to include data transmission services such as HIEs and RHIOs and also subcontractors of BAs that have access to ePHI. 2. HIPAA Security Rule: BAs are now responsible for complying with the HIPAA Security Rule. 3. Penalties: penalties for noncompliance apply not only to CEs, but also BAs and BA subcontractors. 4. “oops, we didn’t know:” a BA can no longer use “lack of knowledge” as a defense to limit liability for HIPAA non-compliance violations. 5. Dual Liability: BAs have contractual liability to CE for HIPAA compliance via Business Associate Agreements (BAAs) as well as liability directly to the government for HIPAA compliance.What can you do? Whether you are a CE, a BA or a subcontractor of a BA, a number of steps canreduce your risk. 1. Policies: Ensure you have effective and practical policies and procedures in place to document how you manage health IT and mitigate security risk. 2. Training: Educate employees to ensure they understand the policies as well as the spirit and intent of those policies. 3. Assessment: Complete a HIPAA Risk Analysis to identify security risk, determine effectiveness of security controls and measure conformance with policies and the HIPAA Security Rule. Whether you are a CE or a BA or a BA subcontractor you need to understand where your risk to disclosing ePHI lies. Lack of knowledge does not limit liability and completing a risk assessment helps focus risk mitigation measures and indicates a commitment to a robust information security program in the event of post-data-breach-litigation. 4. Manage Vendor Risk: Both CEs and BAs need to understand the extent that vendors magnify their risk of ePHI disclosure. Because every organization has limited resources, its important to prioritize vendors to determine which ones represent the highest risk of ePHI disclosure. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
  • 2. Here are steps to consider for all BAs, especially those that are considered high risk:  Upgrade BAAs to include a right-to-audit clause in which you are enabled to perform a HIPAA Risk Analysis or other assessment to verify vendor’s risk profile.  Require BAs (or subcontractors) to complete a Business Associate Security Questionnaire in which they must attest to some basic elements of their information security program.  Threaten to periodically audit or spot check certain answers to the BAs Business Associate Security Questionnaire.Given the expanded liability and compliance requirements of the ePHI supply chain under HIPAA andthe HITECH Act, performing some minimal risk management efforts can dramatically reduce riskthroughout the chain. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM