The HIPAA Privacy Rule defines business associates as “a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information,” and requires that business associates conduct a risk analysis and maintain a security program to protect the confidentiality, integrity and availability of ePHI. Business associates are going to be held accountable for protecting PHI and maintaining compliance, and will be subject to OCR enforcement in the same capacity as covered entities. They will also be included in the next round of random OCR audits, and documentation of risk analysis will be a common request.
To address this industry need, we offer a CAPP service customized for business associates. This includes the same components as a standard CAPP engagement, except that we review your progress and remediation every other year. In addition, you will be able to demonstrate your compliance and security posture to your clients, investors and partners.