|Is your Business Associate effectively protecting ePHI? We have created a Business Associate Security Questionnaire to help evaluate your Business Associates' Information Security Program. This applies to Business Associates that are not covered-entities under HIPAA, or are covered-entities in which you have a peering relationship with.||Business Associate Security Questionnaire|
|Redspin blog post discussing the "protect electronic health information" meaningful use objective.||HIPAA / HITECH Act — A Practical Approach to Meaningful Use Risk Analysis|
|Redspin blog post about IT HIPAA compliance: Risk Analysis and Risk Assessment.||Meaningful Use, Risk Analysis and Protecting Electronic Health Information|
|This graphic visually depicts the HIPAA Security Rule — showing how it fits into the broader Act as well as mapping specific Security Rule requirements to audit objectives and tasks for a HIPAA IT audit.||HIPAA Security Rule Diagram|
|Redspin blog post about Business Associate risk to ePHI and BA requirements to be compliant with the HIPAA Security Rule for a meaningful use assessment.||Business Associates: The HITECH Act requires BAs to be compliant with the HIPAA Security Rule — that's a good thing.|
|An emerging risk to healthcare IT security / HIPAA data security is the increased use of portable devices. How are you allowing mobile device secure access your ePHI? Here is a template you can use to get started.||Mobile Security Policy Template|
Under the HITECH Act Business Associates need to be compliant with the HIPAA Security Rule.
"Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity."Here is the text of the HITECH Act Section 13401 (a).
|HITECH Act Text|
"The HHS has provides a template business associate agreement. While this is not very robust from a security standpoint:
"Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information."It provides a baseline. Considering that Business Associates need to be compliant with the HIPAA Security Rule under the HITECH Act, extensive detail at the BA agreement level may not be required."
|Sample HHS Business Associate Agreement|
|HHS HITECH Act Data Breach Notification website (per section 13402(e)(4) of the HITECH Act)||
HIPAA Security Risk Analysis RFP Template — Instant Download!
|Our HIPAA Risk Analysis page describes specific tasks associated with a HIPAA Risk Analysis, including a graphic showing how these tasks fit into HIPAA and the HIPAA Security Rule.||Redspin HIPAA Risk Analysis page|
|The Official Web Site for the Medicare and Medicaid Electronic Health Records (EHR) Incentive Programs||EHR incentive program|
|For eligible professionals, there are a total of 25 meaningful use objectives. To qualify for an incentive payment, 20 of these 25 objectives must be met. There are 15 required core objectives. The remaining 5 objectives may be chosen from the list of 10 menu set objectives.||Eligible professional meaningful use objectives|
|HHS specifies that eligible professionals must protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.||Meaningful use core measure 15 for eligible professionals|
|For eligible hospitals and CAHs, there are a total of 24 meaningful use objectives. To qualify for an incentive payment, 19 of these 24 objectives must be met. There are 14 required core objectives. The remaining 5 objectives may be chosen from the list of 10 menu set objectives.||Eligible Hospital and critical access hospital (CAH) meaningful use objectives|
|HHS specifies that eligible hospitals and CAHs must protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.||Meaningful use core measure 14 for eligible hospitals and CAHs|
|HHS guidance on risk analysis requirements under the HIPAA Security Rule.||HIPAA Security Rule Risk Analysis|