Business Associate Risks: A Report CardAttorney Szabo on Healthcare's Efforts to Improve Security
Recent breaches and regulatory audits have sharpened the focus on third-party risks. How are healthcare entities tackling this critical topic of business associate management? "Unfortunately, I think there's still a lot of uncertainty for covered entities and business associates, and a lot of work that needs to be done," says David Szabo, a partner in the Boston office of the law firm Locke Lord LLP.
One of the key issues for covered entities: Whether their vendors are categorized as independent actors or as agents of the entity - a key distinction. "If the business associate is your agent ... you are responsible for anything that happens within that scope of work. If the business associate has a breach, makes an improper disclosure ... the covered entity can be held directly accountable."
Szabo discussed "Vendor Management - Security, Risk and Compliance" at Information Security Media Group's recent Healthcare Information Security Summit in Boston.
In a video interview at the event, Szabo discusses:
- How healthcare entities have progressed in managing business associates;
- Current legal hurdles in vendor management;
- The future outlook for scrutiny and enforcement.
Szabo is a partner in the corporate and transactional department, and a member of the healthcare and privacy groups at Locke Lord LLP. He represents hospitals, integrated delivery systems, home care companies, and other healthcare service providers. He also represents healthcare information technology companies and life sciences companies. Szabo has extensive experience in healthcare licensing and regulation, reimbursement, fraud and abuse compliance matters, and the structuring of joint ventures. His practice includes the privacy and information security law applicable to healthcare providers, health plans, technology vendors, and other organizations.