All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News


Keep up to date with Data Fast Solutions for your business.

Auditing Business Associates for HIPAA Compliance

HIPAA Password Security and ManagementIn a previous blog, we discussed appointing a HIPAA Privacy and Security Officer and all of the duties that the officer may perform as set forth by the American Health Information Management Association (AHIMA).

In addition to those duties, an important task is to regularly audit your healthcare company to ensure overall HIPAA compliance. Part of your company’s audit should be to make sure Business Associate Agreements are up-to-date and include revisions, required under the Omnibus Final Rule, that the business associate will stay HIPAA compliant.

The HIPAA Omnibus rule (section 164.103) states that a covered entity may be a business associate of another covered entity and a business associate includes:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4) Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance Issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

HIPAA Password Security and ManagementTo ensure your business associates remain HIPAA compliant, Data-Fast Solutions recommends that your HIPAA Privacy and Security Officer audit your business associates on a regular basis. This is extremely important because the duties they carry out, as a covered entity, make you liable for any penalties occurred for violations committed by them.

Some ways to audit a business associate include asking about their security systems in place and:

  • How and when they are educating their workforce
  • Specifically, how they handle sensitive data
  • Whether they have HIPAA policies and procedures in place
  • Whether or not they are auditing their own business associates who may interact with HIPAA related data

As HIPAA Certified I.T. professionals, Data-Fast Solutions can assist you with an I.T. audit to ensure your company, and your business associates, are HIPAA I.T. compliant. Contact us at (817)380-3188 for more information.

This article is ©2018 Data Fast Solutions • All Rights Reserved