While business associate agreements are likely to be a bigger target of 2015 OCR HIPAA enforcement, there’s a lot of work yet to be done in that area, David Szabo, a partner in the Boston office of the law firm Locke Lord LLP, tellsHealthcare Info Security.
A key distinction to understand, he says, is whether a business associate is your agent, subject to your control, or independent, in which case a breach would be that organization’s own problem.
“If the business associate is your agent … you are responsible for anything that happens within that scope of work. If the business associate has a breach, makes an improper disclosure … the covered entity can be held directly accountable, as if they did it themselves,” he explains.
A lot of organizations have problems where business associates won’t sign an agreement, or some providers have BAs who want to sign the agreement and do no more. “There’s a lot more to it than just signing an agreement,” Szabo says.
Covered entities can spend a lot of lawyer time on indemnity clauses, insurance, what responsibilities a BA has, who covers breach costs, who controls notification and other issues, he says. It might not be worth all that for a BA who plays a minor role in the organization and has little to do with sensitive data. However, those that are mission-critical, host large amounts of your data and are involved in other sensitive areas require a lot more attention.
In addition, more organizations are asking about cybersecurity insurance, an area Szabo predicts will get a lot more attention going forward.
In May, the Office of Civil Rights sent pre-audit screening surveys to covered entities that could be selected to participate in much-delayed Phase 2 of the HIPAA audit program.
View the original content and more from this author here:
http://ift.tt/1JagDyM
from health IT caucus http://ift.tt/1LAEueD
via IFTTT
No comments:
Post a Comment