What if your Business Associates Had A Security Incident?
Covered Entities (CEs) believe its impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident.
To complicate matters a large more believes their Business Associates would NOT notify them in the event of a security incident.
It is crucial that BAs notify CEs in the event of inappropriate use or disclosure of Protected Health Information (PHI) not provided for in its contract. This includes any breaches of unsecured PHI, as well as any security incidents. The Business Associate Agreement (BAA) should specify how and for what purpose the PHI will be used or by each BA or subcontractor.
HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304).
HIPAA also identifies breaches as access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. (See the definition of breach at 45 CFR 164.402).
Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.