Business Associates May be Liable for HIPAA Compliance
Dom Nicastro writes:
The Department of Health and Human Services’ Office for Civil Rights intends to strengthen HIPAA compliance requirements under the HITECH Act. The proposed changes would make BAs directly liable for HIPAA breaches, and subcontractors of BAs would also have to be compliant with HITECH and HIPAA. And that means they would have to comply with the HIPAA Security Rule and the use and disclosures provisions of the HIPAA Privacy Rule.
But is HITECH alone enough to ensure BAs and their subcontractors comply?
Not really, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
A contract satisfies HITECH requirements. In it, make sure you include language that requires physical safeguards and asking BAs to document and prove their security measures and plans for incident response.
Read more on HealthLeaders Media.