Friday, November 25, 2011

Sample Business Associate Contract for HIPAA Compliance

There is no single document, web page, or resource that can provide you with a bullet proof contract that protects both the organization and a subcontractor or business partner.  The government has provided a sample that may cover a percentage of issues that should be addressed.

Click here for the government sample.

This plan is by definition only a guideline, but it is a place to start thinking.  What is missing is the Written Information Security Program (WISP) Plan.  A WISP plan is tailored to the risk quotient of an organization.  It is certainly not a one size fits all solution.  A comprehensive plan will address business partner access as well as the other risks associated with the business operations. 

A WSIP plan is a process not an event.  It is a living, breathing, changing set of documents that evolves with the growth and changes in your business.   Like the sample business partner it should not be done with a do-it-yourself process or attitude.  The idea of a doctor treating themselves should come to mind.  

A WISP plan should incorporate at a minimum Technology, Insurance, Legal, and most importantly Human Resources.  No internal person is likely to have enough expertise in all of these areas.  You need expert outside and objective eyes looking at your business operations.  That is where a resource like Cyber Security Auditors and Administrators (CSA2) helps. 

CSA2 is a resource of resources.  CSA2 has access to leading industry experts.  Experts that will help you prepare, plan and execute a real working WISP plan.  Think of a WISP plan as a fire drill for data breaches.  It may be painful to have to think about these things, but it will be a significantly less stressful exercise than a post breach forensic analysis, government regulated, fine levied eternity.

If you value the relationship and trust build over the years you have been in business with your employees, suppliers and customers, then plan now.  It will take a long time to rebuild trust that can be lost in an instant.  An instant that was preventable.  

There is no perfect  mouse trap and the mice keep getting smarter, so even a great WISP plan cannot prevent all disasters, but a good plan will allow quick response and create a defensible position.  Everyone needs a plan that is tailored to your level of risk.  Hopefully you will contact Dolvin Consulting to see how we can mitigate your risks.  Call now, the time invested is well worth the peace of mind. 

No comments:

Post a Comment