The document discusses new responsibilities and risks for business associates and covered entities under HIPAA regulations. It notes that the HIPAA Security Rule now applies to business associates, their subcontractors, and those who access protected health information. Covered entities and business associates both face liability for security breaches and non-compliance. The document recommends that organizations systematically identify, classify, prioritize and monitor IT security risks, with a focus on critical risks. It also stresses that having controls in place does not ensure they are effective, and compliance does not guarantee security. Business associates need to be prepared to be audited by covered entities.
3. Expanded Definitions
Work for CE + Access PHI = BA
Data transmission providers
Subcontractors to BA
4. HIPAA Security Rule...
Applies to:
A) Covered Entities
B) Business Associates
C) Subcontractors
D) All of the above
5. Oops, I didn't know
“lack of knowledge” is not a defense*
AKA
what you don't know
{about BAs}
can hurt you
* 75 Federal Register 40878, July 14 , 2010
th
NPRM
6. BAs Dual Risk
Liability to government (HIPAA)
Liability to CE (BAA)
7. CEs Dual Risk
Liability to government (HIPAA)
Liability to government (BA security)
34. Summary
For BAs & CEs
New responsibilities (HIPAA Sec. Rule)
Increased accountability / scrutiny
Need effective (true) risk management
BAs need to be ready to be audited by CEs
CEs need to be ready to audit BAs
35. { thank you! }
John Abraham
jabraham@redspin.com
805-705-8040 (mobile)