3. Expanded Definitions
Work for CE + Access PHI = BA
Data transmission providers
Subcontractors to BA
4. HIPAA Security Rule...
Applies to:
A) Covered Entities
B) Business Associates
C) Subcontractors
D) All of the above
5. Oops, I didn't know
“lack of knowledge” is not a defense*
AKA
what you don't know
{about BAs}
can hurt you
* 75 Federal Register 40878, July 14 , 2010
th
NPRM
6. BAs Dual Risk
Liability to government (HIPAA)
Liability to CE (BAA)
7. CEs Dual Risk
Liability to government (HIPAA)
Liability to government (BA security)
34. Summary
For BAs & CEs
New responsibilities (HIPAA Sec. Rule)
Increased accountability / scrutiny
Need effective (true) risk management
BAs need to be ready to be audited by CEs
CEs need to be ready to audit BAs
35. { thank you! }
John Abraham
jabraham@redspin.com
805-705-8040 (mobile)