Someone recently commented that I write a lot of blog posts based on my work and what my clients, students and others I meet at conferences and training classes have said or done. Well, that’s because such interactions often create some very good teaching moments that many others could benefit from! And so, yes, now I have another such experience to share. One of my new Compliance Helper clients recently told me, “I still don’t know what I need to do for HIPAA/HITECH compliance that is not covered under the compliance activities of my business clients. How can I do anything more beyond what they are already doing?”
This is a question many businesses are asking. Certainly in the U.S. in the healthcare sector, where now business associates (BAs) are equally responsible for complying with all of HIPAA and HITECH, along with the covered entities (CEs) they are doing work for. This is also being asked in all other industries where businesses are outsourcing a wide range of business processing and storage activities to a wide range of outsourced entities. I still find an overwhelmingly large portion of organizations that do work for other companies, especially small and midsized businesses (SMBs) and startups, who believe that the companies that they are doing work for are doing all the security and privacy controls necessary, so they do next to nothing with regard to safeguards as a result.
Your client’s compliance does NOT make you compliant
If you have or work for an SMB or startup that has business clients, keep in mind that your clients have *their own* compliance activities for *their own* business, that is separate from yours. What you need to do are compliance activities appropriate for *your* business activities. Some of the common activities that BAs, and other types of vendors, need to do include such things as:
- Having administrative safeguards, such as information security and privacy policies/procedures appropriate for your business activities, providing training and ongoing awareness communications, doing risk assessments, implementing workforce information security activities oversight, assigning responsibilities for information security and privacy, and so on.
- Having technical safeguards, such as anti-malware on your laptops and other mobile computing devices, using firewalls, using strong passwords, using encryption as appropriate based upon risk,
- Having physical safeguards, such as ensuring you do not use your laptop in areas where others who are not authorized to see your CEs’ data can view it, keeping control of your computing and storage devices, etc.
Every organization, of every size, and in every industry, needs to establish information security and privacy safeguards and controls to appropriately mitigate the risks within their own organization. You cannot expect that the actions that your clients are taking will also be mitigating your own risks…because they won’t! Perform a risk assessment and you’ll discover the risks within your own organization.
A few words specific to HIPAA/HITECH
Since there are a few million BAs out there, and the Omnibus Rule just created a sea change for them all, I want to emphasize a few things specific to healthcare CEs and BAs. HIPAA/HITECH applies to all types organizations, of any and all sizes, that fall under the definition of a CE (healthcare provider, healthcare insurer, healthcare clearinghouse), and a BA (an organization that provides services for a CE, and that has access to PHI). The size of the entity providing services for a CE is not a factor for whether or not an organization is a BA, nor are the technical and access circumstances. Even a one-person business that falls under the definitions would still be a CE or BA, and need to comply with all HIPAA/HITECH requirements, as they are applicable to their business services/offerings.
In general, if you are doing work for a CE and have access (technical, physical, etc.) to their PHI to provide some type of associated support or service for or with it, then you are the CE’s BA. You need to make sure you are following the appropriate portions of HIPAA/HITECH for your situation.
If you are doing work for a CE, but *do not have any access* (technical or otherwise) to PHI, then generally you would not be a BA.
Bottom line for organizations of all sizes…
So, business leaders, from the largest to smallest and in all industries, must remember: if you do work for business clients, you still need to implement information security and privacy safeguards and controls within *your own organization* to protect the information that your clients have entrusted you to access.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: awareness, BA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, non-compliance, personal information, personal information identifier, personal information item, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, sensitive personal information, social network, SPI, surveillance, systems security, training