Risk: Lack of business associate agreements when it has a contractor creating, transmitting or storing ePHI.
Explanation: The safeguard of your ePHI is incomplete until enough security safeguards are provided by the service providers, as per agreement. If your service provider fails to provide enough safeguards, it may result in:
- Unauthorized access or disclosure of your ePHI.
- Compromising the ability of your workplace members to efficiently serve the patients.
- Medical identity theft.
Mitigation: Before getting into a contract with your service provider, make sure that your provider gives satisfactory assurances regarding the creation, transmission, storage and handling of ePHI. Such assurances may include:
- Limiting the use/access to ePHI as required by law.
- Employing enough safeguards to prevent unauthorized use or disclosure of ePHI.
- Following the same or substantially similar good practices followed by your own institution.
Success Criteria: Highest level of security services further strengthened by the service providers leading to improved experience and better security.