February 16, 2012 
A couple of weeks ago, we announced our Surveyor for Business Associates Program designed to support the BA that wants to ensure that their privacy and security programs are not only compliant with HIPAA/HITECH, but demonstrate their commitment to the industry and their clients that privacy and security are a priority.
This week we are pleased to announce the second solution in the Surveyor Suite, Surveyor for Providers.
Read more about Surveyor for Providers here:
PR-2012-Surveyor for Providers-FINAL
FACT-2012-Surveyor for Providers
Health systems’ privacy and security challenges are not confined to their “four walls.” The growing demand for and value in information exchange, the pace of merger and acquisition activity, and the increasing number of business associates with whom we have sensitive data sharing relationships really does stretch the boundaries of our privacy and security programs.
And while the burden of responsibility to demonstrate business-appropriate and compliance-aware privacy and security lies with each of those partners, the moment we share sensitive data or allow someone to connect to our networks, our risk increases, unless we have taken our own steps to evaluate and/or mitigate that risk.
Introducing more rigor into business associate agreements and adding data security agreements to the BAA are good first steps. More organizations that we work with are doing this. Performing additional due diligence before you execute new contracts or renew existing agreements with partners with whom you share sensitive data is emerging as a best practice.
I know, the first thing that you want to know is “who pays” for this due diligence. We are seeing the costs associated with an outside review, if it is required, being built into the agreements and contracts. Like other “pay for performance” arrangements, if a business associate cannot demonstrate compliance with your requirements, they pay for the cost of a review, but YOU get to select the vendor (or mutually agree to a vendor). In other cases, we see costs being shared. Finally, in the case of M&A, the cost is most commonly attributed to the acquiring entity, but built into the cost of the transaction like other due diligence activities.
CynergisTek, Inc. 