Reducing Business Associate RisksAttorney Gives Tips for Improving Vendors' HIPAA Compliance
The 2015 Healthcare Information Security Today survey found that business associates taking inadequate security precautions is perceived to be the biggest security threat facing healthcare organizations today. Nevertheless, many covered entities aren't taking steps needed to help reduce the risks posed by business associates, says privacy and security attorney David Holtzman.
Registration for a free webinar presenting the survey results and offering expert analysis is now available.
The threat posed by business associates "presents a significant area of concern not just to the individual organizations who responded to this survey, but it's sort of an indicator of where we're going in the healthcare sector," Holtzman, vice president of compliance at the security consultancy CynergisTek, says in an interview with Information Security Media Group, which recently conducted the survey of healthcare information security and privacy leaders.
"Another interesting component of looking at how organizations are scared of the risks that their BAs pose is ... what are they doing to assure that their BAs are treating their information appropriately and safeguarding it?" Holtzman notes. And the survey confirms many organizations aren't taking all the necessary steps, he observes.
The survey shows that as a result of the HIPAA Omnibus Rule's provision holding business associates liable for HIPAA compliance, 69 percent of respondents say their organizations have modified business associate agreements to provide more details. Some 48 percent have revised their policies for BAs reporting beaches. But only 26 percent have asked BAs to provide a copy of a security audit; 24 percent have obtained a copy of their BAs' security policies; and 15 percent have commissioned third-party validation of the BA's policies and procedures.
Holtzman urges healthcare entities to be far more proactive with their BAs about security.
"Before you enter into an agreement with them or before you share or have any of your PHI provided to them, take steps to make sure that your vendor has the capability to safeguard your PHI by assuring that they have done the appropriate HIPAA security risk analysis," he says. Covered entities also should ask about the security safeguards their business associates have in place. "Look at your own organization to make sure that you're only sending an amount of - or the type of - protected health information that is needed for [the business associate] to carry out their functions or responsibilities."
In the interview, Holtzman also discusses:
- Breach trends that emerged from the survey, including the impact of the HIPAA Omnibus Rule breach notification final rule;
- The importance of encryption to safeguard against health data breaches;
- Questions that covered entities should ask their cloud vendors about their security programs.
Before joining CynergisTek in November 2013, Holtzman was a senior adviser at the Department of Health and Human Services' Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. While at OCR, Holtzman also served as subject matter expert to other federal agencies in the planning, execution and resolution of complex investigations involving reviews of organizations' compliance with the HITECH Act and the HIPAA privacy and security rules. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.