Vendor Risk Assessment

You’ve likely been using the same IT firm for some time. Same for your billing company. Any third party that has access to your patient health information must live up to the same HIPAA regulations that your office does.

How do you know if they are doing this? You can ask, but that isn’t enough. You need a detailed risk assessment on these business associates.

We have taken this rather complex area and narrowed it down to what matters.

The Regulations say that “Covered entities and business associates must do the following”, then of course all of HIPAA regulations follow.

In order to help you understand what your business associates has in place for HIPAA compliance, we have put together an online questionnaire.

Simply submit to us the email address of the point of contact at the specific business associate agreement, we’ll send them a unique sign in code and be able to fill out their online questionnaire.

Once complete, you will get a copy of this questionnaire including a summary review of the business associate’s HIPAA compliance status.

You get access to 6 uses, per year, of the business associate risk assessment.  This means, you can have up to 6 difference business associates use this risk assessment.

CFR 164.306

(a) Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

(b) Flexibility of approach.

(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

(c) Standards. A covered entity or business associate must comply with the applicable standards with respect to all electronic protected health information.as provided in this section and in

164.308  Addressable Safeguard – Security Risk Assessment

164.310  Physical Safeguards – Limit physical access to Patient Health Information

164.312  Technical Safeguards – Protect Electronic Patient Health Information

164.314  Organizational Requirements – Business Associate Requirements

164.316  Policies & Procedures – Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements