BA Agreements: Going Beyond the BasicsInsights on Setting Expectations for Vendors, Monitoring Performance
Healthcare organizations should specify in their contracts with business associates the documentation they expect to see as proof that these vendors are, indeed, taking appropriate measures to protect patient data, says security and privacy expert Rebecca Herold.
That's important because of the risk that vendors potentially pose to the security of patient information. Approximately 20 percent of health data breaches affecting 500 or more individuals since September 2009 have involved business associates, according to the Department of Health and Human Services' "wall of shame" website listing those incidents.
"I like to include in [BA] agreements a right-to-audit clause, and a clause requiring the BA to provide a copy of their current information security policies and any recent risk assessment executive summary upon request," says Herold, partner and co-founder of consulting firm SIMBUS Security and Privacy Services.
"It's so important to put those sorts of actions and activities within the contract to say you have the right to request this kind of documentation," she says in an interview with Information Security Media Group.
Herold also suggests that HIPAA covered entities ask their business associates to complete periodic questionnaires to assess the degree of risk posed by their vendors. "Sometimes a covered entity will have dozens, or hundreds or even thousands of BAs, and they all have different risk levels," she says. "Covered entities need to determine the level of risk posed by each of their BAs and then provide more oversight over the vendors presenting the highest risk."
In addition, Herold advises that healthcare organizations require their vendors complete "attestations." She explains: "These are comparatively brief forms you can send the BA monthly or quarterly, depending on their risk level. ... They basically say 'we have the policy and procedures in place, we're doing everything we need to do [to safeguard protected health information],' and then you have the leader ... of the BA sign them. The leader is assuming explicit responsibility for ensuring that what he or she says is in place is actually in place."
In the interview (see audio link below photo), Herold also discusses:
- Whom within a covered entity should be dealing with business associates for information security and privacy matters;
- The blunders that covered entities make in dealing with their business associates that put patient data at risk;
- The biggest information security mistakes that vendors make;
- When covered entities should consider ending relationships with business associates.
In addition to being partner and co-founder of consulting firm SIMBUS Security and Privacy Services and the SIMBUS Tracker, Herold is also CEO of security consulting firm Rebecca Herold & Associates LLC, also known as The Privacy Professor, and author of more than 16 books on information security and privacy.