Solutions to Manage Business Associates
The Omnibus Rule made significant changes to HIPAA regulations. It clarified that anyone hired to do work for or on behalf of a covered entity (CE) can fall into the business associate (BA) category if they create, receive, transmit or maintain PHI for a provider. More importantly, it made BAs liable for compliance with the HIPAA Security Rule and certain provisions of the Privacy Rule. As a result, providers need to have an effective vendor management program in place and document greater due diligence. Providers can achieve this with Vendor Security Management.
CynergisTek’s Vendor Security Management program will evaluate and monitor vendors on a regular and ongoing basis and make them accountable for safeguarding PHI. CynergisTek will evaluate each vendor’s level of risk, require them to attest to their compliance with HIPAA and determine which protections are in place. CynergisTek will then actively monitor each vendor, communicate the security gaps identified and alert the covered entity on any changes to the vendor’s status. All associated risks, questions and documents are maintained and included in regular vendor status reports.
Documenting this information is necessary to demonstrate due diligence in any investigation or compliance review. The end result will alleviate the pain and suffering of managing multiple vendors and help compliance with demonstrate HIPAA regulations.