Q: On May 25, 2021, the Office for Civil Rights investigation of Peachstate Health Management LLC found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprisewide risk analysis, implement risk management and audit controls and maintain documentation of HIPAA Security Rule policies and procedures. This case involves a BA. What are some common issues that still arise when it comes to BAs, and how can CEs ensure their BAs are in compliance with security requirements?
A: CEs are required to perform due diligence when it comes to their BAs. The same is true for BAs and their BA subcontractors. This is a HIPAA requirement and is just plain sound security practice given vendors can represent a significant risk to CEs and BAs alike. Due diligence is not a one-time event. CEs and BAs need a process in place to assess the risk associated with any new vendor they are thinking of contracting with.
CEs and BAs should have an annual process established to review vendor SOC 2 Type II reports, complete security questionnaires and review HITRUST certification reports, for instance. This doesn’t mean CEs and BAs need to conduct such an assessment of all of their vendors. They need to assess vendors who are critical to CE and BA operations and vendors who have access to protected health information (PHI). If they determine that a vendor is a security risk, CEs and BAs need to take steps to mitigate the risk, require their vendors to mitigate the risk or contract with another vendor for the same services.