To be certain you are protecting the health information in your organization you must identify where it lives and moves about around the network and workforce. A risk analysis can't be done properly without making that list first.
Where should you look for PHI? If you don't store it do you store access TO it? Get more information for this podcast at HelpMeWithHIPAA.com/42
Trust but verify is the new standard when it comes to Business Associate relationships today. Yes, they must sign a BAA but you really need to ask some questions to confirm those BAs understand and are doing the things they have agreed to do for you.
Covered Entities (CEs) haven't really worried about the details of the contracts too much as along as the vendors would sign them. Many vendors have signed, and continue to sign, BAAs without any concerns at all for what the contract actually says they are going to do in their business. For so many years a BAA was just something you had to sign in order to do the work in healthcare. It didn't matter at all if you did anything with it other than put it in the file with other ones you had signed. The new world of HIPAA compliance, huge data breaches, and civil fines and penalties means neither side of the contract can function that way any longer. It is imperative that HIPAA compliant vendors are vetted in some manner to confirm you really are protecting your patients, clients, business, and reputation.
Get all the details at http://helpmewithhipaa.com/41
