By: Mitchell H.Levine.CISA
Audit Serve, Inc.
The original HITECH Act of October, 2010 rolled out a set of mandates relating to security breach notifications when there is a security breach involving PHI data within a Covered Entity (e.g., hospitals, health providers and health plans) and the Covered Entity’s Business Associates (i.e., performs functions on behalf of Covered Entity which involve PHI data such as claims processing, billing, consulting accounting legal and data analytics), implement processes to prevent security breaches and the restriction of the sale and marketing of PHI. The only oversight requirement that the Covered Entity had over the Business Associate was to have a contract provision that they would meet the requirements of 45 CFR 164.504(e).
The new HITECH rules issued January 25, 2013 has changed the landscape of how Covered Entities need to manage their relationship with their Business Associates. The new mandates require Business Associates to meet the same security and privacy requirements as Covered Entities. The level of due diligence that needs to be performed by the Covered Entity to ensure that Business Associates meets these requirements is being interpreted by each organization. This will require vendor management processes to be enhanced to potentially validate compliance with these mandates before entering in a contract with a Business Associate and also perform revalidations periodically during the lifetime of the contract. The question is the degree of validation which would need to be performed which can range from control walkthroughs to discuss security and privacy controls to potentially having independent firms perform control validations/audits of these Business Associates.
The new HITECH rules issued January 25, 2013 also requires Business Associates to have contracts with Subcontractor to safeguard any PHI data in their procession. The question again is the type of validation processes performed by the Covered Entity to ensure that their Business Associates are complying with this requirement.
The new HITECH rules issued January 25, 2013 also restructured the criteria and approach to the breach notification. The restructured criteria is comprised of the use of risk assessments to determine the probability that PHI data was comprised.