Expert Advice by Mac McMillan

CynergisTek CEO, Mac McMillan recently sat down with Becker’s Hospital CIO to provide advice on how covered entities (CEs) and business associates (BAs) can prepare for the new HIPAA Audits. Earlier this month the Office for Civil Rights (OCR) announced that they were sending out surveys to 800 covered entities and then would send surveys to those entities’ BAs. McMillan tells Becker’s Hospital CIO, “OCR is stepping up their game, adding security and audit SMEs to their team of regulators, and covered entities and business associates had better as well.” He addresses three ways to prepare.

1. Business Associate Agreements: If is necessary for covered entities to have business associate agreements (BAAs) with all of the vendors they do business with that handle PHI. BAs need to know that they are now responsible to protect it and should be documented in the BAA.
2. Risk assessment: Everyone needs to have a through and current risk assessment to meet the requirements under the HIPAA Security Rule. McMillan suggests, “Select an industry-recognized framework for security like ISO, ITIL or NIST and apply it.”
3. Vendor management:  covered entities need to preform due diligence, have a high level of awareness of its vendors’ security programs and execute a vendor management program. CEs should ask “Have I done my due diligence? What do I know about my vendors security programs? Have I addressed all of the areas they should have to ensure a successful partnership, incident response, requests for information, physical protection, transmission security, etc.?” CEs should know what the vendor is doing to safeguard PHI and what is the response plan incase of an incident.

Click here to read the entire article.