Getting the CE to Sign Off on Noncompliant Solutions
The hardest part of being a BAA (especially a provider of tech solutions), is that many doctors and dentists don't want to buy all of the services that will keep them compliant on their networks. When we are asked to install systems with configurations that don't comply with HIPAA (i.e. automatic logoffs, passwords on PCs, etc.), we need them to sign off stating that "best practices were proposed, but the CE elected not to go forward with fully compliant systems".
Unfortunately, this practice does not sit well with the covered entity, however, it's important to make sure that the CE acknowledges that Best Practices for network configuration has not been deployed.
BAA's can be the first group to be thrown under the bus when an audit takes place, so my advice to BAA's is to dot your i's, and make sure there is written acknoledgement if fully compliant solutions are not deployed.
How do other BAA's approach this scenario?