NPRM has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security controls of everyone else in the chain. Here's why...

1. Managing HIPAA / HITECH Act Risk in ePHI
Supply Chain
HITECH and the notice of proposed rulemaking (NPRM) published in the Federal Register July 14,
2010 significantly impact how Covered Entities (CEs) and Business Associates (BAs) manage health IT
security risk under HIPAA. It has, in effect, created an ePHI supply chain in which everyone on the
chain needs to worry about the security controls of everyone else in the chain. Here’s why:
1. Business Associates: the definition of a BA is expanded to include data transmission services
such as HIEs and RHIOs and also subcontractors of BAs that have access to ePHI.
2. HIPAA Security Rule: BAs are now responsible for complying with the HIPAA Security Rule.
3. Penalties: penalties for noncompliance apply not only to CEs, but also BAs and BA
subcontractors.
4. “oops, we didn’t know:” a BA can no longer use “lack of knowledge” as a defense to limit
liability for HIPAA non-compliance violations.
5. Dual Liability: BAs have contractual liability to CE for HIPAA compliance via Business Associate
Agreements (BAAs) as well as liability directly to the government for HIPAA compliance.
What can you do? Whether you are a CE, a BA or a subcontractor of a BA, a number of steps can
reduce your risk.
1. Policies: Ensure you have effective and practical policies and procedures in place to document
how you manage health IT and mitigate security risk.
2. Training: Educate employees to ensure they understand the policies as well as the spirit and
intent of those policies.
3. Assessment: Complete a HIPAA Risk Analysis to identify security risk, determine effectiveness
of security controls and measure conformance with policies and the HIPAA Security
Rule. Whether you are a CE or a BA or a BA subcontractor you need to understand where your
risk to disclosing ePHI lies. Lack of knowledge does not limit liability and completing a risk
assessment helps focus risk mitigation measures and indicates a commitment to a robust
information security program in the event of post-data-breach-litigation.
4. Manage Vendor Risk: Both CEs and BAs need to understand the extent that vendors magnify
their risk of ePHI disclosure. Because every organization has limited resources, its important to
prioritize vendors to determine which ones represent the highest risk of ePHI disclosure.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

2. Here are steps to consider for all BAs, especially those that are considered high risk:
 Upgrade BAAs to include a right-to-audit clause in which you are enabled to perform a HIPAA
Risk Analysis or other assessment to verify vendor’s risk profile.
 Require BAs (or subcontractors) to complete a Business Associate Security Questionnaire in
which they must attest to some basic elements of their information security program.
 Threaten to periodically audit or spot check certain answers to the BAs Business Associate
Security Questionnaire.
Given the expanded liability and compliance requirements of the ePHI supply chain under HIPAA and
the HITECH Act, performing some minimal risk management efforts can dramatically reduce risk
throughout the chain.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM