Five questions to ask your service provider about HIPAA compliance

If you've signed a Business Associate Agreement with a service provider or vendor and believe that the BAA ensures that your business associate is in full compliance with the Health Insurance Portability & Accountability Act, think again. In truth, a BAA may only assure partial compliance at best, and assuming otherwise could put you and your healthcare organization in an extremely precarious situation. According to HIPAA, a signed BAA does not transfer responsibility for the data to your vendor or absolve you of risk.

Although most of us are aware that both the business associate and the healthcare organization bear responsibility when it comes to HIPAA compliance, it's the healthcare organization that suffers the most negative publicity and potentially devastating consequences after a data breach, even when the loss is due to a business associate's lack of compliance. That's why it's crucial, even if you have a signed BAA, to explore these five critical areas as a reality check to determine whether they truly are HIPAA compliant.

1. What measures has your provider put in place to ensure that your data is secure? Simply asking your provider if your information is safe and getting an affirmative answer isn't sufficient. It's the responsibility of the healthcare organization to do due diligence in determining how their service provider will secure their data and obtain proof of it.

2. What measures will your provider's subcontractors take to ensure that your information is safe? Remember that your provider could very well contract out some of the services they provide, and it's up to your organization to ensure that your provider does the same due diligence to determine how each of their subcontractors will protect your data, including having a signed BAA.

3. What will happen to your data after the contract expires? Make sure you understand how your provider plans to handle your information after the contract ends. If they plan on deleting your data, for example, they must use a secure erase process ("shred" wipe) to be certain that the information is permanently and entirely deleted. Even after the contract ends, the BAA itself must remain in effect as long as the provider retains copies of your data (due to legal retention or on backup tapes, for example).

4. Is your provider using an up-to-date BAA form? The Department of Health and Human Services implemented new HIPAA rules on September 23, 2013, allowing covered entities a full year – until September 22, 2014 – before they were required to revise their BAAs accordingly. That one-year grace period has ended. Make sure your provider has signed an updated BAA.

5. Do you and your provider understand the concept of administrative controls versus physical or technical controls? HIPAA requires three types of controls: 1) administrative (policies, for example); 2) physical (safeguards put in place where a server is physically located, for example); and 3) technical (encryption of data, for example). Administrative controls alone are not sufficient – you and your provider must have physical and technical controls in place as well in order to adequately secure your data and ensure compliance. Your provider should provide you as a healthcare organization the details and proof showing how they comply with these HIPAA controls regularly.

The intent of a BAA is to protect personal health information. And while there's no doubt that having a signed, up-to-date BAA with your service provider or vendor is necessary, it doesn't necessarily mean that the business associate you're dealing with is HIPAA compliant. It's the responsibility of the healthcare organization to make that determination.

Nancy Wilson is the Vice President Compliance and Security Services of Lumen21, an award-winning global technology firm with deep experience in the health care industry advising clients on HIPAA regulations, security concerns and IT services. Learn more at




The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.


Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars