Outsourcing

HIPAA’s requirements with respect to business associates are directly relevant to companies and vendors who enter into an outsourcing relationship. HIPAA mandates numerous precautions, restrictions, and obligations of which the vendor as a business associate must be aware. The vendors must agree to comply with the same stringent confidentiality or security requirements and transfer restrictions as those that the HIPAA Rules impose on their clients that are covered entities. For example, being able to respond, within the regulatory time frames, to a patient’s request for an accounting of the disclosures of the patient’s information in the vendor’s custody would require having in place the technology, structure, and personnel necessary to handle the request.

A vendor that offers services to HIPAA-covered entities should take into account the requirements, restrictions, and obligations set forth in the HIPAA Privacy Rule and Security Rule before preparing a proposal for outsourcing services. However, the customer should ensure that the vendor will be able to assist in the compliance, respond to the

Download Free Outsourcing and Audit Procedures Checklist

- Are customer connections (extranets) audited on a regular basis?
- Does a formal architecture exist for connecting customers (extranet) to your network?
- Does a formal policy exist to spell out when, why, and how extranet connections will be permitted?
- Is management approval required before bringing an extranet connection online?
- Is a formal security audit required before bringing an extranet connection online?