New tool helps with HIPAA compliance


A new risk assessment tool will help healthcare business associates and subcontractors address the issue of HIPAA final rule compliance. The Business Associate HIPAA Self Risk Assessment (BA HSRA) has been created by risk mitigation and response specialists Kroll Advisory Solutions. It is based on HIPAA provisions, security best practices, and guidance from the National Institute of Standards and Technology (NIST).

The HIPAA final rule solidifies stringent data privacy and security requirements for business associates (BAs) and subcontractors. Businesses that provide services to covered entities like hospitals and physician practice groups may not be familiar with healthcare terminology or HIPAA requirements.

While BAs and subcontractors may perform very different functions from a healthcare provider, they are still required to comply in full with the HIPAA security rule and may also be required to comply with certain aspects of the HIPAA privacy rule.

Kroll Advisory’s risk assessment tool and its results are designed to help BAs and subcontractors across a vast range of industries identify vulnerabilities within their administrative, physical, and technical security safeguards and pinpoint privacy aspects where improvement is needed.

“Under the final rule, an organization will be considered a business associate if it meets the definition, regardless of whether it has a business associate agreement in place,” said Brian Lapidus, head of the incident response and remediation group at Kroll Advisory Solutions.

“Businesses that might not have known they were even considered accountable now find themselves directly liable for the security of sensitive protected health information (PHI).”

Kroll’s risk assessment is mapped into a user-friendly format and contains links to authoritative resources, helpful tips, and the regulations themselves. The final report, which documents completion of the assessment, includes overall scoring for an “at-a-glance” view as well as full responses to each question and guidance on next steps.


HIPAA, Business Associate, risk mitigation, healthcare, compliance