In alignment with the Health Insurance Portability and Accountability Act (HIPAA) and § 164.314(a), our organization ensures the secure handling of electronic protected health information (ePHI) by subcontractors engaged by business associates. This involves obtaining satisfactory assurances from business associates that subcontractors will appropriately safeguard sensitive health information when creating, receiving, maintaining, or transmitting ePHI on behalf of the organization. Verification that business associates obtain satisfactory assurances from subcontractors, ensuring the appropriate safeguarding of ePHI. Inclusion of explicit safeguarding commitments within contractual agreements between business associates and subcontractors. Implementation of regular compliance checks and assessments to validate that subcontractors adhere to the agreed-upon safeguarding measures. Establishment of mechanisms for ongoing oversight and monitoring of subcontractor activities to guarantee continuous compliance with HIPAA requirements.

Priority: High

Category: Business Associate Management

Services Associated with AWS:

- AWS Business Associate Addendum (BAA): Leveraging the AWS BAA framework to ensure that subcontractors engaged through AWS services commit to appropriate safeguards for ePHI.

- AWS Artifact: Accessing compliance documentation, including security reports, to verify that AWS services and subcontractors comply with HIPAA requirements.

Services Associated with Azure:

- Azure HIPAA/HITECH Implementation Guidance: Utilizing Azure's implementation guidance for HIPAA/HITECH to ensure that subcontractors adhere to necessary standards for ePHI safeguarding.

- Azure Blueprint for HIPAA: Implementing the Azure Blueprint for HIPAA to facilitate the design, deployment, and management of HIPAA-compliant solutions involving subcontractors.

Objective Evidence:

- Business Associate Agreements with Safeguarding Clauses: Documentation of executed agreements between business associates and subcontractors, clearly outlining safeguarding commitments.

- Compliance Assessment Reports: Reports from regular compliance assessments validating subcontractors' adherence to agreed-upon safeguarding measures.

- Incident Response Records: Records of incident response activities involving subcontractors, showcasing the organization's preparedness and action in the event of security incidents.

Possible Technology Considerations:

- Secure Collaboration Platforms: Employment of secure collaboration platforms that enable the creation, receipt, maintenance, or transmission of ePHI while maintaining safeguarding standards.

- Encrypted Communication Channels:Adoption of encrypted communication channels for the secure exchange of ePHI between business associates and subcontractors.

- Access Controls and Logging: Implementation of access controls and logging mechanisms to monitor subcontractor activities related to ePHI.

What Needs to Be Answered:

- How effective are the safeguarding measures implemented by subcontractors in protecting ePHI, and how is this effectiveness measured?

- Are safeguarding commitments explicitly included in agreements with subcontractors, and is this inclusion done in a timely manner?

- How does the organization respond to and manage security incidents involving subcontractors, ensuring a swift and appropriate resolution?

- How well are the safeguarding practices of subcontractors integrated with the organization's internal security policies and procedures?