Business associates should be required to provide some type of evidence or proof of compliance to their covered entities. – Healthcare Information Security Today: 2013 Outlook Survey
This quote comes from a study that reports only 32 percent of survey respondents of a healthcare director/manager of information technology demographic expressed confidence in the security controls maintained by their business associates – a dismal number considering the risk taken when partnering with a HIPAA cloud hosting or HIPAA colocation provider.
When asked about what steps covered entities have taken to ensure business associates are HIPAA compliant, only 25 percent obtained a copy of their BA’s security audit, and 12 percent commissioned a third-party validation of their policies and procedures. While the last figure is understandable as it requires an investment of time and money, there should be no excuse for not checking a security audit report (unless the business associate doesn’t have one).
Read more about compliance with hosting business associates in 100% HIPAA Compliant.
Thirty percent required business associates complete a security questionnaire, although the report doesn’t provide much in terms of details. For a list of questions to ask your potential HIPAA hosting provider, read Five Questions to Ask Your HIPAA Hosting Provider.
The greatest percentage of respondents modified business associate agreements (BAAs) to provide more details, at 69 percent. What should the contractual terms look like? Briefly, BAs are required to:
- Implement safeguards to prevent misuse/disclosure of health data
- Report PHI breaches
- Disclose PHI as requested by CEs for patient use, amendments and accountings
- At contract termination, return or destroy all PHI (protected health information) from the CE…
Find out what else is required in the new business associate agreements by reading Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance.
The survey also features an interview with an independent consulting professional (CISSP, Certified Information Systems Security Professional) – as he acknowledges that approximately 20 percent of breaches are caused by business associates (most recently, 40 percent of 2013 breaches), he recommends using the HIPAA audit protocol as a guide for conducting a technical and non-technical evaluation of a business associate’s safeguards and controls.
Find out more about business associates and HIPAA compliance in our HIPAA Compliant Hosting white paper.