Updated: Apr 10, 2021
It's James, and in my continuing series on SMB Cybersecurity, I am back with another short entry for the healthcare industry to help keep your organization safe. As usual, I'm going to ask a lot of questions, and hopefully provide some of the answers.
As a healthcare provider or payer, you already know you have to be HIPAA compliant. And you know that your suppliers and vendors have to be HIPAA compliant.
But how do you know that your suppliers and vendors actually are HIPAA compliant? As your Business Associates (BAs), your compliance is dependent on their compliance.
Because the law applies, you have HIPAA compliance (hopefully) baked into your processes in working with protected health information (PHI, ePHI). You choose vendors based on their compliance as well, right? Do you know who all of your BAs are, and what their responsibilities are? Do they?
A Business Associate is a person or business that provides a service to – or performs a certain function or activity for – a Covered Entity when that service, function or activity involves the Business Associate having access to PHI maintained by the Covered Entity. Examples of Business Associates include lawyers, accountants, IT contractors, billing companies, cloud storage services, email encryption services, etc.
Before having access to PHI, the Business Associate must sign a Business Associate Agreement with the Covered Entity stating what PHI they can access, how it is to be used, and that it will be returned or destroyed once the task it is needed for is completed. While the PHI is in the Business Associate´s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity.
Remember, this burden falls on you to guarantee and demonstrate. If you have taken advantage of UNITI Cyber's free or subscription vCISO services, or Compliance as a Service (CaaS), then you know how you can rest assured that you have done your due diligence.
There is only one way to be sure, and avoid the potential penalties, lawsuits, and loss of reputation that come with non-adherence, not to mention the risk of attacks from a third party vulnerability. Your BAs need assessments, and compliance management. Preferably a solution that can generate reports and documented proof, as you evaluate your options.
Trust me, in my years of experience, every client who uses our CaaS, is ecstatic about how easy things are. I have helped not only healthcare organizations, but their BAs demonstrate compliance, with UNITI Cyber's semi-automated solutions. We make compliance and security painless and provable, for you and your BAs.
During your next reviews and assessments, talk to your BA contacts. Ask them to produce their own HIPAA compliance paperwork. If they don't have it ready then you aren't compliant either. And when the audit happens, or a breach occurs, your responsibility will extend to your BAs as well.
Automate your compliance, and insist your BAs do too. You can't afford not to.
James is the CEO and founder of UNITI Cyber, the premier SMB cybersecurity and compliance consulting firm. His security and intelligence and information security experience allow him to innovate, and bring you the latest in actionable information to protect your organization.