Compliance Assist Partner Program for Business Associates (BA CAPP)

The HIPAA Privacy Rule defines business associates as “a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information,” and requires that business associates conduct a risk analysis and maintain a security program to protect the confidentiality, integrity and availability of ePHI. Business associates are going to be held accountable for protecting PHI and maintaining compliance, and will be subject to OCR enforcement in the same capacity as covered entities. They will also be included in the next round of random OCR audits, and documentation of risk analysis will be a common request.

To address this industry need, we offer a CAPP service customized for business associates. This includes the same components as a standard CAPP engagement, except that we review your progress and remediation every other year. In addition, you will be able to demonstrate your compliance and security posture to your clients, investors and partners.

CynergisTEk Compliance Assist Partner Program for Business Associates (BACAPP)

CAPP Program Elements

The CAPP program includes the following elements:

  • Assess

    CynergisTek will conduct a baseline security assessment on the organization focusing on all of the administrative, physical and technical safeguards required under HIPAA. These reports will serve as the foundation for the ongoing management and maturity of the Security Program. CynergisTek will create prioritized remediation plans that will address the short term critical vulnerabilities, including technical and programmatic/policy related findings, and a transition plan for medium and long term objectives and maintenance.

  • Advise

    CynergisTek consultants are industry veterans that will provide the needed resources and experience that enable our clients to accelerate the implementation of their security programs. Throughout the process, CynergisTek will advise on the development and remediation of the programs by utilizing our extensive privacy and security expertise. The client has access to the entire CynergisTek staff, whether the request is deeply technical in nature, or a higher level program management discussion.

    Advisory support is provided at all levels: executive, programmatic, and through direct peer-to-peer interaction between staff. This enables CynergisTek to augment the capabilities of the client organization and respond to whatever privacy or security matter may arise. Daily programmatic management is accomplished through a combination of communication channels — telephonic, interactive web portal, and email — making it possible for CynergisTek to respond rapidly to client requests for information or support.

  • Develop

    CynergisTek will be involved in the ongoing remediation and maturation of the Security Program and will supervise any transition to appropriate staff within the organization.

    Ongoing executive direction is provided through periodic Executive Reviews designed to ensure remediation and program building efforts remain on track. The appointed monitor within the client’s organization will also be included in these communications and have access to the portal for real-time updates on the progress of remediation and the program.

    CynergisTek will also provide strategic planning support and assist clients in keeping current with emerging industry, threat and regulatory trends. In addition to the standard elements of the CAPP, which include regular assessment, testing of technical controls and ongoing Advisory support, the CAPP also provides a ready vehicle for on-call consulting, staffing, and engineering support.

  • Regulatory Expertise

    CynergisTek’s employees have experience in working in and developing regulatory programs in both government and private sector positions. Each member of the CynergisTek staff holds relevant certifications in their area of focus, and with our unique relationship with OCR, we understand healthcare’s regulatory environment and will advise on appropriate measures to ensure compliance.

  • Ongoing Technical Testing

    CynergisTek will monitor the technical controls and vulnerability management of the organization through quarterly technical testing. This consistent monitoring will allow us to effectively remediate any critical vulnerabilities and work with the client’s IT staff on proper patching and vulnerability management. Trending data will be provided, and our reports will show areas of improvement in the information security program, but also highlight progress throughout the term of the engagement.

  • Community

    Today there are nearly a hundred healthcare entities in the CAPP program. Each not only shares access to CynergisTek’s knowledge base, but also to each other’s. One of the biggest strengths of this program is the interaction, assistance and information sharing fostered by CynergisTek among and between the CAPP membership. When someone has a question we not only share our knowledge, but we pull from our CAPP clients’ experiences and others. CISOs from one CAPP member often act as mentors and sounding boards for other CISOs in the program. The CAPP is not a one-plus-one, but a one-plus-many relationship.

Standard BA CAPP Engagement Components

The standard BA CAPP engagement includes the following components:

Reports & Deliverables

After data collection, we compile a series of reports that detail findings, observations, recommendations, and detailed remediation steps in addition to trending data for our repeat customers to help provide input on overall technical program maturity. These reports include:

Ask An Expert

Learn more about our Compliance Assist Partner Program for Business Associates (BA CAPP) service.

Speak to one of our experts today.
Ask An Expert