The cost of third-party remote access noncompliance: HIPAA edition
It’s no news to healthcare-related organizations that if they handle personal health information (PHI) or electronic personal health information (ePHI), they are required to maintain HIPAA/HITECH compliance. These regulations are stringent, and staying compliant can be difficult. Covered entities find themselves in a difficult position, as their HIPAA compliance is not only dependent on their actions, but on those of their vendors, too. Covered entities tend to deal with many vendors at once, and the risk management of those third parties can prove to be time-consuming and costly. A great way for a vendor to separate themselves from their competitors is by taking steps beyond those legally required to ensure they are compliant and trustworthy of handling PHI/ePHI. On the flip side, vendors with a habit of noncompliance risk a damaged reputation and losses of customers and profits and possible sanctions from the Office of Civil Rights inspector generals.
BAAs are agreements, not guarantees
Third-party vendors, or business associates as they are called in the HITECH Act, are required to sign a business associate agreement (BAA) before being granted access to PHI. But even though BAAs contractually bind vendors to HIPAA compliance, they don’t guarantee vendors’ compliance in practice. As such, the requirements for vendors extend beyond simple compliance measures. In cases where breaches do occur, business associates are obligated under federal law to...