The new chain of responsibilty for protecting PHI, as laid out by HHS, goes from the covered entity (CE) to the business associate (BA) to the sub-contractor (Sub).
A breach at any level will involve the CE and their name will end up on the wall of shame if the breach is for more than 500 patients. One study showed that of the reported breaches in 2010, 42% were caused by a third party, ie. BA or Sub.
Due to this potential liability CEs are beginning to require proof of compliance before they will do business with a BA or Sub. The big challenge is how to prove compliance so that the CE has "suitable assurance" as required by HIPAA.
Of course many if not most could not prove it because they are not compliant, but let's say they are compliant, have policies and procedures in place, train their staff, and maintain documentation to prove this. Short of the CE visiting the BA, how can they know they are compliant at all times.
Compliance Helper has a solution called the Compliance Meter. The BA or Sub sets up their privacy and information security program with a service called Prepare.
A privacy and security expert called a Helper monitors their progress and provides advice, encouragement, and oversight. They follow a task list and as they review, edit, and get approval for their policies, procedures, and forms their progress is recorded and displayed through the Compliance Meter.
The Compliance Meter displays the percentage of policies, procedures and forms approved and tasks completed. Once they move to maintenance they get monthly task-lists and updates to their policies, procedures and forms.
The Compliance Meter reflects their current level of compliance at all times. It is a widget that can be displayed on the website of the BA or Sub or deployed to their business partners such as CEs or other BAs and Subs.
This provides complete transparency for their business partners.
With programs starting at $125 to get compliant and $35 per month to stay compliant, there is a program for even the smallest Sub to get compliant, stay compliant, and prove compliance with the Compliance Meter.
Cross-posted from Compliance Helper