As any reasonably sized covered entity will attest, it is not unusual to have hundreds of Business Associates (partners who have access to ePHI). While your own security may be adequate to protect your ePHI, a breach by a Business Associate will result in substantial impact and the data breach is required to be disclosed. The process of ensuring they are protecting your ePHI is a bit easier since the HITECH act mandated that Business Associates must be HIPAA compliant. So it’s important to ensure your Business Associates implement appropriate security controls to adequately protect ePHI and reduce the odds of a breach of ePHI. Given the challenges of performing in-depth due diligence on hundreds of organizations simultaneously, a risk based approach should be use to prioritize the list of Business Associates. This allows focusing first on the areas of greatest risk/impact.
Here are a few questions to ask about your business associates to help prioritize your due diligence efforts.
-How many ePHI records do they have?
-Are they granted controlled access to data housed by us, with risk mitigated by our own internal controls?
-Is the data housed by them and are we completely reliant on their security controls?
-Consider the type of ePHI they have: SSN, Payment details (Credit Card, Bank accounts, drivers license, etc). More data is higher risk.
-How long are the records maintained by them? (short period and destroyed vs. archived indefinitely).
-How many of their employees have access to our data?
-Have they experienced a breach in the past?
-Are their systems connected directly to our network? Will a compromise of their network give an attacker access to our network?
-Are they providing a service where ePHI is accessed directly via the Internet? Can attacker from the Internet could directly breach the system.
These are a few questions to get you thinking about where to start your focused due diligence. What other ways are you currently prioritizing your Business Associates risk management efforts?
Download a more in depth questionnaire to be completed by your business associates here!