• E-mail
• Print
• RSS

Is it reasonable for a business associate to include in the agreement a statement that security is not guaranteed?

HIPAA Weekly Advisor, October 16, 2006

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Your business associate (BA) is only being realistic. Information security can never be guaranteed. There are simply too many people, processes, and technical variables to expect no information risk. Any reasonable BA-from a claims-processing firm to an independent information security consultant-cannot realistically guarantee that trouble will never arise regarding the protection of your ePHI.

However, what it can do (and what a covered entity should expect) is take reasonable precautions in securing ePHI. This includes conforming to widely accepted security frameworks and best practices documented in publications from the International Organization for Standardization and the International Electrotechnical Commission, such as ISO/IEC 17799:2005, and the various special publications from the National Institute of Standards and Technology on information security policies, procedures, and technical safeguards.

It also entails that BAs perform ongoing information security assessments and audits to ensure their processes and controls sufficiently address the risks discovered. If a BA does guarantee 100% security or, on the flipside, works in ways that place ePHI in danger, it may be time to look for someone else with which to do business.

Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive