[{"innerBlocks":[],"name":"core\/freeform","postId":125897,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"selectors":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":3,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":"As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their business associates is critical.Rigorous due diligence is part of the risk analysis conducted by covered entities (CEs) to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI).In recent years, many provider organizations have incorporated the HITRUST<\/a> and SOC 2<\/a> frameworks into their third-party assurance process. The focus on breach notification protocols is largely a result of the increased number of breaches involving third-party vendors. SOC 2 is an attestation report that has long been regarded as the standard for service providers outside of healthcare. SOC 2 provides a third-party assessment aligned with HIPAA and HITRUST service trust principles\u2014security, availability, processing integrity, confidentiality and privacy of the systems and controls in place. The report criteria provide a means to measure effectiveness of the controls against a standard. SOC 2 has evolved and continues to mature as a solid foundation for CEs to evaluate BA management programs.

Founded in 2007, HITRUST evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to \u201cchampion programs that safeguard sensitive information and manage information risk for organizations,\u201d HITRUST provides broad access to common risk and compliance management frameworks. For example, the HITRUST CSF\u00ae<\/a>, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance. Together, HITRUST and SOC 2 provide the basis for an effective BA management program that promotes communication, confidence and common ground. This makes a significant difference in targeting root causes of perceived risk, evaluating controls and working as a team to close gaps and augment privacy and security protocols. As the adoption of these frameworks and the demand for providing attestation reports become more prevalent, understanding the scope of both HITRUST and SOC 2 is essential. When doing due diligence, make sure the scope of services is relevant to the services that vendors are providing for your organization.Require your BAs to complete an annual privacy and security assessment that includes similar reports provided to the BA by its subcontractors. A recent Ponemon survey<\/a> reports that \u201c87 percent of BAs have experienced electronic data security incidents in the last two years, in contrast to 65 percent of healthcare providers and payers. Nearly 60 percent of all [BA] participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments.\u201d Due diligence is never done. It\u2019s a journey. Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.As healthcare\u2019s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification and SOC 2 attestation for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is in place.Here are 12 criteria to mitigate BA management risk. Conduct an assessment of the vendor\u2019s compliance with HIPAA regulations, the integrity of the vendor\u2019s data, and its breach prevention practices. Create a list of assessment factors that correlate to the type of data the vendor can access. Through documentation and firsthand observation, make sure the vendor meets the following requirements:

Designated privacy and security officer.<\/li>

Documented privacy and security policies and procedures that cover employees, volunteers, contractors and other members of the BA workforce.<\/li>

Active privacy and security program that aligns with HIPAA requirements.<\/li>

Ongoing security administration activities to assess, monitor, prevent and mitigate security threats.<\/li>

Established systems for discovery of breaches and a formal response plan.<\/li>

Annual HIPAA training and education for its workforce.<\/li>

BA agreements with any downstream BAs\u2014including documentation of the right to terminate the downstream vendor for security or privacy violations.<\/li>

Adequate physical security protections in place, in addition to systems and process protections.<\/li>

Current disaster recovery plan available for assessment.<\/li>

Report on any HIPAA breaches the vendor or subcontractor may have caused or been part of, along with subsequent remedial efforts. <\/li>

Assessment of potential impact of the breach history on your organization\u2019s reputation\u2014evaluation of remedial work.<\/li>

Evidence of financial stability to protect against failures that could jeopardize data privacy and security.<\/li><\/ul>","saveContent":"As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their business associates is critical.Rigorous due diligence is part of the risk analysis conducted by covered entities (CEs) to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI).In recent years, many provider organizations have incorporated the HITRUST<\/a> and SOC 2<\/a> frameworks into their third-party assurance process. The focus on breach notification protocols is largely a result of the increased number of breaches involving third-party vendors. SOC 2 is an attestation report that has long been regarded as the standard for service providers outside of healthcare. SOC 2 provides a third-party assessment aligned with HIPAA and HITRUST service trust principles\u2014security, availability, processing integrity, confidentiality and privacy of the systems and controls in place. The report criteria provide a means to measure effectiveness of the controls against a standard. SOC 2 has evolved and continues to mature as a solid foundation for CEs to evaluate BA management programs. Founded in 2007, HITRUST evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to \u201cchampion programs that safeguard sensitive information and manage information risk for organizations,\u201d HITRUST provides broad access to common risk and compliance management frameworks. For example, the HITRUST CSF\u00ae<\/a>, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance. Together, HITRUST and SOC 2 provide the basis for an effective BA management program that promotes communication, confidence and common ground. This makes a significant difference in targeting root causes of perceived risk, evaluating controls and working as a team to close gaps and augment privacy and security protocols. As the adoption of these frameworks and the demand for providing attestation reports become more prevalent, understanding the scope of both HITRUST and SOC 2 is essential. When doing due diligence, make sure the scope of services is relevant to the services that vendors are providing for your organization.Require your BAs to complete an annual privacy and security assessment that includes similar reports provided to the BA by its subcontractors. A recent
Ponemon survey<\/a> reports that \u201c87 percent of BAs have experienced electronic data security incidents in the last two years, in contrast to 65 percent of healthcare providers and payers. Nearly 60 percent of all [BA] participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments.\u201d Due diligence is never done. It\u2019s a journey.
Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.
As healthcare\u2019s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification and SOC 2 attestation for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is in place.Here are 12 criteria to mitigate BA management risk. Conduct an assessment of the vendor\u2019s compliance with HIPAA regulations, the integrity of the vendor\u2019s data, and its breach prevention practices. Create a list of assessment factors that correlate to the type of data the vendor can access. Through documentation and firsthand observation, make sure the vendor meets the following requirements:
Designated privacy and security officer.<\/li>
Documented privacy and security policies and procedures that cover employees, volunteers, contractors and other members of the BA workforce.<\/li>
Active privacy and security program that aligns with HIPAA requirements.<\/li>
Ongoing security administration activities to assess, monitor, prevent and mitigate security threats.<\/li>
Established systems for discovery of breaches and a formal response plan.<\/li>
Annual HIPAA training and education for its workforce.<\/li>
BA agreements with any downstream BAs\u2014including documentation of the right to terminate the downstream vendor for security or privacy violations.<\/li>
Adequate physical security protections in place, in addition to systems and process protections.<\/li>
Current disaster recovery plan available for assessment.<\/li>
Report on any HIPAA breaches the vendor or subcontractor may have caused or been part of, along with subsequent remedial efforts. <\/li>
Assessment of potential impact of the breach history on your organization\u2019s reputation\u2014evaluation of remedial work.<\/li>
Evidence of financial stability to protect against failures that could jeopardize data privacy and security.<\/li><\/ul>","order":0,"get_parent":{},"attributes":[],"attributesType":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"dynamicContent":""}]

Critical practices to improve business associate management

More for you