TRENDING:

HIPAA/HITECH , Standards, Regulations & Compliance

Reducing Business Associate Risks

Attorney Gives Tips for Improving Vendors' HIPAA Compliance Marianne Kolbasuk McGee (HealthInfoSec) • May 15, 2015     20 Minutes   
Reducing Business Associate Risks
David Holtzman

The 2015 Healthcare Information Security Today survey found that business associates taking inadequate security precautions is perceived to be the biggest security threat facing healthcare organizations today. Nevertheless, many covered entities aren't taking steps needed to help reduce the risks posed by business associates, says privacy and security attorney David Holtzman.

Registration for a free webinar presenting the survey results and offering expert analysis is now available.

The threat posed by business associates "presents a significant area of concern not just to the individual organizations who responded to this survey, but it's sort of an indicator of where we're going in the healthcare sector," Holtzman, vice president of compliance at the security consultancy CynergisTek, says in an interview with Information Security Media Group, which recently conducted the survey of healthcare information security and privacy leaders.

"Another interesting component of looking at how organizations are scared of the risks that their BAs pose is ... what are they doing to assure that their BAs are treating their information appropriately and safeguarding it?" Holtzman notes. And the survey confirms many organizations aren't taking all the necessary steps, he observes.

The survey shows that as a result of the HIPAA Omnibus Rule's provision holding business associates liable for HIPAA compliance, 69 percent of respondents say their organizations have modified business associate agreements to provide more details. Some 48 percent have revised their policies for BAs reporting beaches. But only 26 percent have asked BAs to provide a copy of a security audit; 24 percent have obtained a copy of their BAs' security policies; and 15 percent have commissioned third-party validation of the BA's policies and procedures.

Aggressive Action

Holtzman urges healthcare entities to be far more proactive with their BAs about security.

"Before you enter into an agreement with them or before you share or have any of your PHI provided to them, take steps to make sure that your vendor has the capability to safeguard your PHI by assuring that they have done the appropriate HIPAA security risk analysis," he says. Covered entities also should ask about the security safeguards their business associates have in place. "Look at your own organization to make sure that you're only sending an amount of - or the type of - protected health information that is needed for [the business associate] to carry out their functions or responsibilities."

In the interview, Holtzman also discusses:

  • Breach trends that emerged from the survey, including the impact of the HIPAA Omnibus Rule breach notification final rule;
  • The importance of encryption to safeguard against health data breaches;
  • Questions that covered entities should ask their cloud vendors about their security programs.

Before joining CynergisTek in November 2013, Holtzman was a senior adviser at the Department of Health and Human Services' Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. While at OCR, Holtzman also served as subject matter expert to other federal agencies in the planning, execution and resolution of complex investigations involving reviews of organizations' compliance with the HITECH Act and the HIPAA privacy and security rules. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.

Previous
IoT Security: The Patching Challenge
Next
Art Coviello: Venture Capitalist



Around the Network

Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.