Many covered entities work with vendors, consultants, lawyers, data managers and more for subcontracted services that require the use of PHI. In order to release PHI to a subcontractor, covered entities are required to obtain a signed Business Associate Agreement that describes their HIPAA responsibility. But is a signed contract enough to protect you from liability in the case of a breach?
As a covered entity you are required to obtain “reasonable assurance” of your Business Associate’s compliance with the BAA and HIPAA regulations. This leaves a lot of room for you to do what you think is right. But consider that if one of these BAs causes a breach of the data you provide to them, you may be held liable. You’re putting your own business on the line by accepting this as “evidence” that they understand the terms of the agreement and are taking it seriously and implementing the actions required by it. Do you feel that your organization is protected with this level of assurance?
You might consider sending them a brief compliance questionnaire in addition to this if you want to make sure that they actually have at least some sort of compliance program in place. But then again, if they show on their questionnaire that they are not strongly compliant that could impact your ability to do business with them or demonstrate that you knew they were not compliant and did business with them anyway.
Many businesses accept a contract signage as “reasonable assurance” of compliance from their BA’s. But other businesses, for whom the risk of a BA breach or the costs of a BA breach are too high to accept, require more assurance of compliance. It’s up to your organization to determine what is acceptable.
A good way to determine what is acceptable is to do a risk analysis and assessment regarding the data your business associates will be dealing with. BA’s using huge data sets with low expectation of compliance? May need stronger assurance. BA’s who are likely to be compliant and only using a very small amount of data? Maybe contract signage is enough.