Be Sure That Business Associates Are HIPAA-Prepared, Or Else

Sure, most readers will know that it’s important to have business associates who know how to handle potential HIPAA concerns.  I’d wager, however, given the outbreak of partner-related data losses of late, many facilities and medical practices aren’t subjecting their business partners to severe enough scrutiny.

There’s many, many ways a business associate can drop the ball, especially if you’re not keeping them informed.  For example, consider the case of South Shore Hospital of South Weymouth, MA, which lost boxes of unencrypted backup tapes en route to associate Archive Data Solutions.  The tapes stolen included HIPAA-protected ePHI (SSNs, names, financial account numbers and diagnoses).

While the business associate may have done wrongly, it was the hospital which was fined a total of $475,000 over the incident, which affected over 800,000 individuals. The state’s Attorney General slapped the hospital with these fines because it hadn’t done due diligence to make sure the associate had appropriate safeguards in place.

So, how do you protect yourself in your relationship with data management associates?  The following list of criteria, supplied by Thu Pham, seem likely to do the trick:

  • Business associate has been independently audited across all 54 HIPAA citations and 136 audited components; they’ve passed with 100% compliance and can show you a copy of their report.
  • They can tell you the particular technologies they’ll use to meet HIPAA security standards.
  • They have documented policies and procedures already in place, including policies related to breach notification.
  • They have proof their employees are trained on how to handle your PHI, with last completed dates of training.
  • They should have their own business associate agreement in place that defines their responsibilities when handling your PHI.

I might also ask them how they train their workers, as all of this preparation might be worth a lot less if policies are loose.  Now, over to you. Do you think this list is sufficient to protect your institution?  Are there items you’d add or clarify?

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • Thanks Katherine – great article. Another recommendation is to invest in the time to actually visit the Business Associate’c company in person. In our industry, it’s sometimes shocking how many vendors describe “their” data center, for example, when they don’t in fact own and operate the facility directly. Some Business Associates even compensate travel expenses at the appropriate point in the process. But even if that’s not the case, never underestimate the value of meeting with your vendors face-to-face in their facility – one glance can tell you a lot! 🙂

  • Spot on, April. We don’t recommend anyone to our clients unless we’ve met them and seen their facilities. What I find amazing is the number of companies that claim HIPAA compliance, but have never heard of a BAA.

  • A few other things to look for and insist upon – data encryption, insurance covering breaches and cyber security, and a compliance officer/department. Each of those can help protect you!

Click here to post a comment