Seriously, are your business associates HIPAA-HITECH compliant?

 A few weeks ago I predicted that covered entities will soon require business associates and subcontractors to meet minimum HIPAA-HITECH compliance standards in order to be considered for a contract.  And, after the largest breach so far under the HITECH Act breach notification was reported last week, other security experts are speaking in the same vein.

If you aren’t familiar with the breach, computer backup tapes from a health system with five hospitals, covering 20 years worth of patient data (1.7 million people) were stolen from an unlocked truck.  The truck was in the process of delivering the tapes to a secure storage facility, but, unfortunately, they had not yet been encrypted. So now the hospitals are fielding the publicity and trying to minimize the real and perceptual damage, when the hospitals had, no doubt, signed a business associate agreement with the trucking company that required the trucking company to maintain HIPAA compliant security standards. A lot of good that did them. Before the HITECH Act breach notification rule went into effect, a simple contract between covered entities and business associates sufficed.  But, as an industry, healthcare organizations are beginning to realize that they are probably going to have to be more proactive, requiring business associates to conduct HIPAA training, complete assessments, produce security audits or otherwise prove that the security standards in place are equal to those of the covered entity.

To quote Rebecca Herold, a security professional recently interviewed by, "Counting on just a BA agreement is not enough. Organizations need to go further and require business associates to provide some kind of proof or assurance that they actually have safeguards in place. If they don't obtain some type of assurance, it is likely this type of incident will happen."

If you have concerns about your organization’s level of security, visit  Our straightforward assessment tool helps covered entities, business associates and their subcontractors meet HIPAA-HITECH Security Rule requirements.  In fact, we offer a BA and sub-contractor management program that helps you reduce these significant risks in the ‘chain of trust’. 

After all, your stakeholders are counting on you to do so!


No comments yet.

Leave a Reply