In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Archive for the ‘BA’ Category
Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).
Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just (more…)
Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts? (more…)
Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located. One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information. (more…)
The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013. Currently the version available (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) is “pre-publication” version.
Over the past week I’ve had numerous CEs and BAs contacting me, frantic to change their BA Agreements to “avoid complying with the Mega Rule for another year!” Wait, folks. You are misunderstanding; this is a very specific extension that only applies to the BA Agreements. Let me explain… (more…)
This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool. Grrr!! There are (more…)