A 8-slide primer on why Business Associates should conduct a HIPAA Security Risk Analysis to meet their new compliance and risk management needs. Includes updates from HITECH Act and HIPAA Omnibus Rule.
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
HIPAA Security Risk Analysis for Business Associates
1. A 8-SLIDE INTRODUCTION
HIPAA Security Risk Analysis
for Business Associates
7/30/2013www.redspin.com
1
1-800-721-9177
2. What Changed?
www.redspin.com
2
HITECH/HIPAA Omnibus Rule Expands Definition
of Business Associates
Business Associates Must Now Comply with Many
of Same HIPAA Security and Privacy Provisions as
Covered Entities
Liability for Certain Compliance Failures (e.g. PHI
Data Breach) Now Extends Directly to Business
Associates
7/30/20131-800-721-9177
3. What Changed?
www.redspin.com
3
HITECH Act and HIPAA Omnibus Rule Expands
Definition of Business Associates
Now includes subcontractors of Business Associates
Person or entity that “creates, receives, maintains, or
transmits protected health information on behalf of a
covered entity
Illustrative examples: data storage companies, health
information organizations, e-prescribing gateways, vendors
of personal health records
7/30/20131-800-721-9177
4. www.redspin.com
4
Business Associates Must Comply with Many of
Same HIPAA Security and Privacy Provisions as
Covered Entities
All provisions of HIPAA Security Rule with regard to ePHI
including the requirement to conduct a Security Risk
Analysis
Report breaches of PHI to covered entity
Execute and maintain contractual relationships with
subcontractors with same restrictions and provisions
regarding protection of PHI as business associate
What Changed?
7/30/20131-800-721-9177
5. www.redspin.com
5
Liability for Certain Compliance Failures (e.g.
PHI Data Breach) Now Extends Directly to
Business Associates
Direct civil (and potentially criminal) liability
Subject to similar breach reporting requirements and
identical monetary penalty amounts as covered entities
Penalties can be up to $50,000 per each violation with a
maximum of $1.5 million per year for same violation
Compliance date is September 23, 2013
What Changed?
7/30/20131-800-721-9177
6. Why Conduct a HIPAA Security Risk Analysis?
www.redspin.com
6
To Comply with the HIPAA Security Rule
HIPAA Security Rule
164.308(a)(1)(ii)(A) Risk analysis (Required)
“Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health
information held by the covered entity or business
associate.”
7/30/20131-800-721-9177
7. What is a HIPAA Security Risk Analysis?
www.redspin.com
7
Purpose of a Risk Analysis is to Identify:
Threats to the organization
Vulnerabilities internal and external to the organization
Consequences, impact, and harm to organizations that may
occur given the potential for threats exploiting vulnerabilities
Likelihood that harm will occur
7/30/20131-800-721-9177
8. What is a HIPAA Security Risk Analysis?
www.redspin.com
8
Scope of a Risk Analysis Can Include:
HIPAA gap analysis (policies, procedures, controls)
Network infrastructure security testing (vulnerability
assessment)
EHR and application risk assessment
Mobile device security (organization-issued and BYOD)
Business associate compliance review
Employee security awareness
7/30/20131-800-721-9177