Key Questions for HIPAA Business Associates and Covered Entities

Since the HIPAA Omnibus Rule made Business Associates (BA’s) directly responsible for compliance in 2013, the Covered Entities (CE’s) that we work with are still not reassured that their vendors have adequate security measures in place and, even if they do, the CE’s do not have a reliable way to even know for sure.

With an estimated 20% (likely higher) of healthcare data breaches directly involving or stemming from BA handling of patient data – and a disproportionate number of breached records involving third or fourth parties, CE’s are understandably worried.

HIPAA Breaches and Third Party Vendors

Have your BA’s answered these key questions for you?

  • Do their security controls and processes meet your expectations?
  • Have they conducted a recent risk assessment?
  • Are employees well trained and are subcontractors (4th party vendors) held to the same standards?
  • Are backup/recovery and data destruction policies in place and adequate?
  • If there was a breach, how and when should you expect to be notified?

Business Associates Should Want to Provide these Answers!

Business Associate companies seeking to do business with healthcare companies could easily get a leg up on any competition simply by answering those questions up front. Few seem able to do that today.

Regulators Now Hold Business Associates to the Same Expectations!

Regulators are now auditing BA’s along with CE’s and they are sending clear signals that they are cracking down on noncompliant vendors. BA’s no longer have an excuse but CE’s are not off the hook either as they are ultimately responsible for the data that may be accessible by BA’s.

If your company is a Covered Entity that needs help determining the security and compliance level of your vendors or drafting effective Business Associate Agreements to ensure both parties share the same expectations and standards of compliance, our team can help you survey, evaluate, and work with your BA’s.

If your company is a Business Associate who needs to evaluate and document your own internal systems and processes to reassure your healthcare clients, Loricca can help!