by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

The HIPAA Privacy Rule refers to third parties as “business associates” and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.

HIPAA’s Security Rule calls for covered entities to create contracts with business associates to ensure that the partner “will appropriately safeguard” PHI. The HITECH Act of 2009 further strengthened HIPAA’s rules regarding business associates and security obligations.

While the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.

Read John’s entire article, featuring insight from CynergisTek CEO Mac McMillan, here: