Business Associate Contracts

The final task under the Administrative Rule is Business Associate Contracts and Other Arrangements. This section states that a covered entity (your agency) may permit a business associate to create, receive, maintain or transmit EPHI on the covered entities behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

There is one required task under this section. Agencies must document the satisfactory assurances required through a written contract or other arrangement with the business associate.

This means contracts and this means attorneys. This is not the same contract as required by the Privacy Rule although it could probably be fitted in to an existing contract. The object with this contract is to insure the business associate agrees to safeguard the security of EPHI data. If there is no contract and the business associate breaches the Security Rule your agency could be liable.

Evaluation

The next Administrative Rules task is Evaluation. Evaluation requires agencies perform a periodic technical and non-technical evaluation based on the Security Rule Standards as well as any new environmental or operational changes affecting the security of EPHI.

We suggest that agencies review their Security Rule compliance at least annually to insure that compliance is being maintained. It should also be reviewed as part of any major organizational change such as a merger or change in services.

Contingency Plan V

The last Contingency Plan task is also an addressable task. Agencies must assess the relative criticality of specific applications and data in support of other Contingency Plan components.

Here you want to evaluate what applications and data are critical to Emergency Mode operation and analyze contingency planning rules specifically to these applications and data.

Contingency Plan IV

This Contingency Plan task requires that agencies implement procedures for periodic testing and revision of contingency plans. This is an addressable task.

This means that you must test the various components of your Contingency Plan to make sure that are working as expected and to insure that business and/or IT related changes have been considered and applied to your Plan. I would suggest this process is done at least annually and should be done after any major business and/or IT change has been implemented.

Contingency Plan III

The next Contingency Plan task is also a required task. Agencies must have an Emergency Mode Operation Plan. This means you must establish and implement procedures to enable continuation of critical business processes for protection of the security of EPHI while operating in Emergency Mode.

If a disaster strikes and your systems must be operated in Emergency Mode you must be able to maintain the security of EPHI. If you needed to operate in a different location you must be able to insure the security requirements under this rule can be met.

Contingency Plan II

The next task under the Contingency Plan is the Disaster Recovery Plan. This requires that agencies establish and implement procedures to restore any loss of EPHI data. This is a required task.

There are several things that could cause loss of EPHI data. Hardware failure and human error are the most common. You must be able to restore EPHI data should any loss of data occur. If you have a data backup plan and adhere to it, you should be able to recover any loss of data from your backup media. However, you must also consider other possible causes of loss of data like loss of your server due to natural disaster or theft. This is where off-site backup media comes in to play.