Evaluation 45 CFR § 164.308(a)(8) Organizations are required to periodically review their technical and non-technical safeguards they have in place. This includes your risk analysis, your risk management plan as well as your policies, procedures, and documentation. You must ensure the safeguards you have in place continue to protect patient data. Although the requirement does not state a time frame in which this needs to take place, it is recommended annually due to the constant changes in technology.
Business Associate Contracts 45 CFR § 164.308(b)(1) Covered entities often use business associates (BAs) in order to service their organization. A business associate agreement (BAA) must be in place to instruct the BA on the proper uses and disclosures permitted. The patient data is the responsibility of the covered entity, and they must direct how and when this data can be shared.
Other Arrangements 45 CFR § 164.308(b)(4) It is required that any person or company that accesses, creates, maintains, or stores ePHI be HIPAA compliant and it is the duty of the covered entity to do their due diligence to ensure they have met the requirements under the privacy and security rule where applicable. This may include a service agreement or assurances from the business associate.
Let Aris work with you for an easy online path to HIPAA compliance