HIPAA, the acronym for the Health Insurance Portability and Accountability Act, is a regulation administered by the Department of Health and Human Services.
Most people are aware that hospitals, long-term care facilities, health insurance companies, doctors offices, & the like must comply with both the privacy and security components of HIPAA. However, many people are fuzzy on the fact that other organizations also have to follow a minimum set of security standards under HIPAA.
Any organization who provides services to any of the entities above has to sign what is called a business associate agreement or BAA. This agreement is essentially an attestation that the business associate will exercise due care while handling medical records.
Here are some examples of business associates:
- An outsourced IT firm
- A third-party cybersecurity firm
- A CPA firm who provides accounting services and has access to PHI in the process
Any time a business associate discloses, handles or uses PHI, they must comply with HIPAA Security Rule and HIPAA Privacy Rule mandates.
The HIPAA Security Rule requires periodic risk assessments, users to be trained on security best practices, and penetration testing to ensure that the business associate is not adding unnecessary risk to the handling of protected health information.
Essentially, anybody coming in touch with protected health information needs to align their cybersecurity posture with HIPAA requirements.
Managed Security Team
Post a Comment