A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic......
A "Sea Change” in HIPAA Security – Why Business Associates Should Be Pro-Active About Security Risk Now
A “Sea Change” in HIPAA Security – WhyBusiness Associates Should Be Pro-ActiveAbout Security Risk NowA recent report suggests that nearly 40% of data breaches of protected health information occur atthird party companies entrusted by health care providers with sensitive data. A striking statisticparticularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and securityamong such “business associates.” While providers generally insist these obligations be included intheir contracts with outside vendors, the 40% breach statistic shows just how ineffective suchagreements have been, without the benefit of additional enforcement or oversight.It is against this backdrop that the Office of Civil Rights (OCR) determined that more needed to bedone in this area. Their most recent recommendation calls for business associates to be held directlyliable for the breach of protected health information (PHI) under HITECH Act sections 13401 and13404. This change will go into effect 12 months after the issuance of the Omnibus NPRM (expectedin the next few months). Thus, in mid-to-late 2012, business associates and their subcontractors willhave the same obligations as covered entities under the HIPAA Security Rule — and therefore mustconduct their own HIPAA security risk assessments. Sue McAndrew, Deputy Director for HealthInformation Privacy at the Office of Civil Rights (OCR), has called the extension of direct liability tobusiness associates “a sea change” in the regulations.So what’s a business associate to do? Wait for the final rule to go into effect? Wait 12 months afterthat? At Redspin, we’d suggest a more proactive approach. A sea change, after all, is an idiom for abroad transformation, not generally a time for a waiting game. We see a healthcare market wherebusiness associates will need to provide proof of robust, effective info-sec programs as a pre-requisite of doing business with providers. On their part, forward-thinking BA’s who invest in their ITsecurity today, will get the jump on being able to promote IT security as a competitive differentiatorin the future. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM