Corporate Compliance

Evaluating business associate security

Compliance Monitor, December 16, 2005

Q: How should we evaluate business associate security?

It's easy to document information assurances in a contract, but it's quite different when it comes to actually implementing the proper processes and controls. In fact, it's common for HIPAA lawyers and compliance officers working for business associates to agree to protect ePHI and not once involve information technology, security, and other critical personnel to ensure such claims can be backed up. This creates a dangerous situation for everyone involved.

According to the security rule, covered entities need to obtain satisfactory assurances that business associates will appropriately safeguard information. There's no way to obtain such satisfactory assurances without looking into the business associate's information security policies, procedures, and technical safeguards in the form of an

At a minimum, conduct an analysis of a security audit or create an assessment report. If it makes business sense, take it one step further and perform an assessment of the business associate's information security framework.

Editor's note: Kevin Beaver, CISSP, security consultant with Acworth, GA-based Principle Logic, LLC, answered this question. This is not legal advice. Consult your attorney for legal matters.

Most Popular