Choosing Business Associates (BAs)—Questions to Ask

Make sure that the BA’s policies and processes are documented and comprehensive. Ask to see all security and privacy policies, as well as workforce training materials. Walk through the process for identifying an incident and responding to it for the BA’s benefit and yours. (For example, ask, "What is considered an incident?" "To whom is it reported?" "How quickly must it be reported?")  Be sure both parties document this "service
level agreement."

1. Are you also a HIPAA "business associate"? (If so, you should expect that the organization is fully HIPAA compliant and should be able to answer questions readily.)
2. Have you signed HIPAA-style BA contracts with other organizations?
3. Do you have an information security officer and a privacy officer? If so, are they full-time or part-time? Where do they report within your organization? What are their qualifications?
4. Do you have a comprehensive, written set of security and privacy policies and procedures?
5. Do you have a physical security policy and plan? Has a SAS 70 (Statement on Auditing Standard) certification been performed? How do you secure portable devices and media? How do you handle disposal of confidential data on all media? How do you remove data on a device or medium to prepare it for reuse?
6. Assuming you perform the same or similar service for other HIPAA Covered Entities (CE), how do you ensure that PHI from different CEs is not comingled? How do you ensure that you do not disclose one CE’s PHI to another CE in error? How do you ensure that one entity cannot access another entity’s PHI (unless authorized by contract)?
7. Are you disclosing PHI? If so, summarize to whom and under what circumstances. Would you disclose our PHI? If so, what controls do you have in place to ensure disclosure is appropriate and at the minimum necessary level?
8. Describe your workforce privacy and security training program including content, frequency, and method(s) of delivery. Does it cover the full workforce? What about subcontractors? 
9. Do you have formal, written policies and guidelines governing privacy and security incident reporting? How do you define "incidents"? How would incidents be reported to our organization?  Would you be informed of an incident by/under control of your subcontractor? Have you had an incident in the past year? Does your incident response plan include procedures for breach notification as required by the HITECH Act
10. Do you have formal, written policies and guidelines governing sanctions for policy violations? Do they also apply to non-employees (if you have non-employee workforce members)? How would you handle serious violations or breaches? Do you have insurance to cover privacy and security breaches of our PHI occurring under your watch or through your subcontractors?
11. How are you prepared to handle the specific HIPAA Privacy Rule requirements for (a) inspection and copying, (b) amendment, (c) tracking and accounting of disclosures, and (d) restrictions on disclosures?
12. Upon termination of our relationship or when certain PHI is no longer needed by you, how would you return or destroy PHI? What are your current mechanisms? How would these be affected if your company is acquired or declares bankruptcy?
13. What are your technical network perimeter controls? How will communication between the entities be handled securely? How will remote authentication be handled, if appropriate? Authentication on hand-held devices? Describe how and when encryption is required.  If wireless is part of the solution, describe security controls.

More information on this and other healthcare topics can be found at:

The Marblehead Group, LLC, Healthcare

http://www.themarbleheadgroup.com