6 Questions to Ask Every Potential Business Associate


Since March of 2020, the medical industry has had to quickly adjust to the technological demands placed upon them during the COVID-19 pandemic. One of the downsides to this abrupt change was the shortened amount of time providers had to choose vendors to work with to offer this new technology.

A few months ago, an individual filed a class-action lawsuit against the Pennsylvania Department of Health and the company they hired to conduct their contact tracing, as the individual was one of 72,000 who's information was leaked in a data breach. This breach resulted from the neglect of the third-party vendor, who failed to implement the necessary cybersecurity procedures and policies to protect private health information during tracing. According to inside information, this vendor knew about the breach months before they notified the Pennsylvania DOH.

When asked about their Business Associate (entities that perform activities involving the use or disclosure of protected health information), the DOH stated that this group “disregarded safety protocols, with some employees creating Google accounts to share data, including information gathered from contact tracing calls. Those documents were left unprotected and that made them vulnerable to access.” The Department has made it clear that they will not renew their contract with this group and clarified that their computer tracing system and apps were not affected.

To protect yourself from partnering with the wrong vendor, ask these 6 questions before signing your next Business Associate Agreement.

1. What security measures are you taking to protect patient health information?
Business Associates are directly liable under HIPAA. This means that they are held to the same level of compliance as a covered entity and must be able to prove that they are actively protecting PHI through the implementation of administrative, physical, and technical safeguards.

2. Have you conducted a comprehensive HIPAA SRA within the past 12 months?
SRAs aren’t just for covered entities. Under HIPAA, Business Associates must have an up to date Security Risk Analysis.

3. Do you have a Business Continuity Plan (BCP)?
In addition to comprehensive HIPAA policies and procedures, vendors who touch PHI should have a solid BCP in case their safeguards fall through, or an unforeseen emergency arises. How does this prospective Business Associate plan on protecting the integrity and privacy of PHI in the event of a disaster?  Check out our white paper on Business Continuity Plans for more information on what a good BCP covers.

4. Do you have a Business Associate Agreement?
Even if you have a Business Associate Agreement (BAA) ready to go, you should still ask a potential vendor about theirs. If they have a thorough BAA template detailing all their responsibilities to an associate, it demonstrates they’re a vendor who care about patient privacy.

5. How do you train your employees on security and compliance?
Human error is still one of the leading causes of HIPAA breaches. The only way to combat this problem is to create a solid training program. Any vendor that you work with should train their staff as diligently as you do on how to best secure PHI and follow HIPAA requirements.

6. How do you store, encrypt and back up data?
Ask to speak with the IT representative of the organization to get all the logistical details of how this business associate will protect your data. You need to know if PHI is being stored on a cloud, if there are private firewalls, what encryption standards are used and much more. With the current proliferation of cybersecurity attacks against the healthcare industry, you can’t be too careful when it comes to protecting your patients’ data.


If you have questions about your BAA management, reach out to a Medcurity compliance expert. We're here to help.