Business Associates Need to Understand HIPAA & HITECH Requirements

 Even though the full extent of the HIPAA and HITECH requirements will not be required for Business Associates until 2011, my experience with helping organizations reach compliance with appropriate security requirements suggests that compliance efforts should begin right away.  Proposed changes to the rules can be viewed at ( deadline for submitting comments has passed on August 13th; however I would be surprised to find significant changes from those that have been proposed.

With Business Associates having to comply with the same requirements as Covered Entities, there are many important requirements with regard to handling ePHI.  Companies should quickly become familiar with:

  1. Performing periodic risk assessments that include ePHI – Organizations may decide to use guidance provided by HHS or use their own discretion.
  2. Ability to respond to ePHI access inquiries – Just as covered entities, BAs need to be able to respond to requests regarding access to individual’s ePHI.
  3. Incident investigation timeframe – In accordance with the HITECH requirements, responding to security incidents and issuing appropriate breach notifications must take place within a relatively short timeframe. While 60 days may not seem very short, having participated in a number of incident investigations, I can assure that this is not a lot of time.

Implementation of the above mentioned requirements may warrant creating new or modifying existing policies, implementing new security controls, and providing training for IT staff and other ePHI custodians.  Failure to comply with policies and practices may cause the company to be viewed as negligent, triggering significantly higher fines and possible consequences for company leadership.  For those companies who have relatively new security and privacy programs, I strongly recommend referencing HITRUST Common Security Framework (CSF) for detailed implementation requirements for individual HIPAA and HITECH controls.  While this may be seen as over-kill for small Business Associate organizations, the range of control implementation considerations will help organizations realize all possible consequences of these healthcare regulatory requirements.  With implementation of some of the more technical controls requiring considerable cost and operational changes, organizations should take advantage of the time before the requirements have been mandated and companies  fall into the scope of the HIPAA and HITECH enforcement efforts.


Presenting at OWASP AppSec Conference

Antti Rantasaari and I will be delivering our presentation “Escalating Privileges through Database Trusts” at the National OWASP AppSec conference in Irvine, CA on September 10th. We are very excited to have the opportunity to share some the of the common application and database implementation weaknesses we see in the real world. During the presentation we’ll show how those weaknesses can be combined to gain unauthorized access to high value data. The presentation will cover: – Three core issues that contribute to weak application and database configurations – Three common attack and escalation scenarios used during penetration tests – Five fixes to help stop the bleeding – Time for questions and answers For those who are interested come see us at AppSec. You can register online at the AppSec website. See you there!

Discover why security operations teams choose NetSPI.