Privacy Officers: Press BAs Hard on Data Location, Breach Notification Timeline

Business associates (BAs)—particularly those that have operations outside the United States—pose heightened security risks to covered entities (CEs) as remote work becomes entrenched due to the pandemic, privacy officers said.

In a roundtable held at a recent national HIPAA conference, top privacy officials from five health organizations discussed their main concerns and potential solutions for privacy issues.[1]

BAs were top of mind for those who took part in the discussion. Lori Lamb, system vice president and privacy officer for CommonSpirit Health, said her organization is “seeing quite a few issues with vendors large and small,” and “it does seem that many of our breach events are at the hands of, or occur at, our vendors.”

Complicating that, Lamb said, is the fact that some of these vendors are not headquartered in the United States, and “therefore they do not necessarily have as good an understanding of HIPAA and how to work with us on breach issues [and] notification. Understanding the BAA [business associate agreement] is in place, how does one actually operationalize that when it occurs?”

Vendors also want to offshore data and use international contractors, Lamb said. “That is something we take a very hard look at, because once PHI [protected health information] leaves the U.S., it becomes more challenging to manage.”

This document is only available to subscribers. Please log in or purchase access.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field