Posts Tagged ‘BA’

I Don’t Need No Stinkin’ BA Agreement…or Do I?

Friday, May 31st, 2013

Last week one of my Compliance Helper clients that is a health insurance company asked me the following question (slightly modified to protect their identity):

For the past two years, we have tried to get business associate (BA) Agreements from some of our BAs. They will not (more…)

The PHI PII Egg Hunt

Saturday, March 30th, 2013

Locate it to protect it

I love speaking with folks about privacy, information security and compliance.  I am sincerely interested in hearing about their challenges, and then also identifying common challenges amongst them all.  We can then get to solutions. 

One of the consistently common challenges I’ve heard from privacy and security folks in the past several months is trying to (more…)

How Long is the Liability Tail?

Wednesday, March 27th, 2013

Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).

Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just (more…)

How Physical Harm Impacts Can Drive Huge HIPAA Penalties

Wednesday, February 20th, 2013

Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts? (more…)

Are You Ready to Pay for the Sins of Your Contracted Entities?

Sunday, February 3rd, 2013

Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located.  One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information. (more…)

Why You Should Use a Right to Audit Clause

Thursday, January 24th, 2013

A Tale of Two Viewpoints

When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990’s I had literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were putting our information at risk.  The contracts with them had a very brief requirement to “provide appropriate security controls” for the information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said this simple clause was enough.  And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker to enter our network.  (more…)

Should You Rush to Execute a BA Agreement Today? Probably Not

Thursday, January 24th, 2013

The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013.  Currently the version available (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) is “pre-publication” version.

Over the past week I’ve had numerous CEs and BAs contacting me, frantic to change their BA Agreements to “avoid complying with the Mega Rule for another year!” Wait, folks. You are misunderstanding; this is a very specific extension that only applies to the BA Agreements.  Let me explain… (more…)

You Need to Actually Do What Your Policies Say!

Friday, December 21st, 2012

This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool.  Grrr!! There are (more…)

Encryption: Myths and Must Knows

Friday, March 2nd, 2012

I am looking forward to the day when we can look at the news headlines and not see some report about a lost or stolen computing device or storage device that contained unencrypted personal information and/or other sensitive information.  And, I also want to stop seeing stories reappear about such an incident, such as the stolen NASA laptop with the clear text Space Station control codes that was stolen last year, but is making the headlines yet again today.  NASA is a large enough, and tech savvy enough, organization to know better!  However, there are many organizations that simply don’t understand what a valuable information security tool encryption is.   I work with many small to medium sized businesses (SMBs), all of which have legal obligations (such as through HIPAA and HITECH, along with contractual requirements) to protect sensitive information, such as personal information.  Over the past year I’ve heard way too many of them make remarks such as… (more…)

Is A W-2 PHI?

Monday, February 27th, 2012

“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”

First the full question: (more…)