HIPAA Compliance: Vendor Management TipsObtaining Documentation of Risk Assessments a Key Step
"Build due diligence into your vendor management process," says McMillan, CEO of the consulting firm CynergisTek. "You don't have to go to the business associate's location; you don't have to conduct the risk assessment or manage their program. Just build in those common sense practices into the oversight of the relationship. That forces the business associate along the way to demonstrate that they're doing the prudent things you need them to do."
Under the HIPAA Omnibus Rule, business associates of covered entities are directly liable for HIPAA compliance, and that means they must conduct a timely and thorough risk assessment. That's why it's essential for covered entities to demand that their BAs provide documentation that demonstrates that they have conducted an analysis and taken other necessary security steps, McMillan says in an interview with Information Security Media Group during the recent 2014 HIMSS Conference.
Plus, healthcare organizations should regularly review their BA's privacy and security measures, he adds. "For instance, if you have someone who is hosting your data, and periodically they have responsibility for backing it up or for destroying some of it, then you want to make sure they provide to you evidence that they've done those things," he says. "You want a destruction certificate, you want a written document that says they've backed up all your systems this month and everything worked properly."
In the interview, McMillan also discusses:
- Why risk assessments are essential not only for HIPAA compliance, but also as a component of a strong information security program;
- How risk assessments by business associates differ from those conducted by covered entities ;
- Common mistakes to avoid in a risk analysis.
McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of the Healthcare Information and Management Systems Society's privacy and security task force. McMillan was recently named by ISMG a Top Influencer for 2014.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.