The HHS Office for Civil Rights (OCR) issued new documentation on May 24, 2019 specifying requirements and prohibitions for which Business Associates are directly liable. The OCR is authorized to take enforcement actions against Business Associates for ONLY 10 specific HIPAA violations. Some of these violations may include failure to:
- Comply with Security Rule requirements
- Provide breach notifications to a Covered Entity or another Business Associate
- Enter into a Business Associate Agreement with subcontractors who create or receive PHI on their behalf
When dealing with Business Associates, pause to consider:
How compliant are your Business Associates with HIPAA Security Requirements?
The HIPAA Privacy Rule ONLY applies to Covered Entities. The Covered Entity is responsible for obtaining satisfactory assurances from the Businss Associates that they will appropriately safeguard protected health information.
Are your Business Associate Agreements sufficient?
Certain required elements to be included within a Business Associate Agreement are specified at 45 CFR 164.504(e). The Agreement must establish the permitted and required uses and disclosures of protected health information by the Business Associate.
How well does your organization monitor your Business Associates?
Covered Entities are not responsible for monitoring Business Associates. However, if a Covered Entity learns of a material breach or violation by the Business Associate, the Covered Entity must take reasonable steps to resolve the breach or end the violation. If those actions are unsuccessful and there are no other viable alternatives, the Covered Entity must terminate the contract with the Business Associate.
Contact Fortified Health Security to learn how our cybersecurity professionals can help you assess and manage your existing list of vendors to optimize network security throughout your healthcare company.
Fortified Health Security is committed to strengthening the security posture of healthcare organizations. In the spirit of Cybersecurity Awareness month, we will be posting daily information for you to consider when maintaining your organization’s cybersecurity program.