What You Need to Know if You’ve Signed a Business Associate Agreement

by Carl Kunkleman
Co-founder and SVP

I’ve been talking with a lot of leaders of healthcare IT firms lately, and in the scramble to get products to market last year, I think a few things fell through the gaps…like identifying their security gaps.

The folks I’ve been talking with are rightly concerned about their cloud security posture. Here’s how that conversation has been going: I ask them if they signed a Business Associate Agreement (BAA) with that covered entity they are working with. They say yes. I ask about how their Security Risk Assessment looked last year, and there’s typically an awkward moment of silence on the phone or video call.

If you have a Business Associate Agreement with a covered entity, they can and should ask to see your HIPAA Security Risk Assessment at any time, and they expect the analysis to be conducted within the last year. A Business Associate Agreement specifically calls out a Federal Code of Regulation that you must adhere to.

It’s usually at this point they ask me if the Security Risk Assessment is something they should do themselves or outsource. Full disclosure: I have strongly held opinions on that because I’ve seen the results from people who attempted to do this in-house. Despite their best intentions, there are consistent blind spots and bias on internally conducted Security Risk Assessments. Talented IT leaders have downloaded software and answered a 200-question form, and came out looking like they were in tip top shape, but were they? The short answer is “no” on the ones I’ve encountered—they had glaring security gaps and risk.

Think about this. If you lose Protected Healthcare Information (PHI), you may have to notify the Office Civil Rights and be subject to audits, legal proceedings and huge fines. So, the nagging self-doubt about whether the questions were answered correctly is actually something you want to heed.

At ClearDATA, here are just a few of many reasons why healthcare organizations are coming to us to get their SRAs in order:

1. We are a HITRUST certified healthcare exclusive partner who can interpret the regulations of HIPAA, which was written 10-20 years ago.

2. We are certified cloud experts and premier level partners across all three public clouds.

3. We know how to tailor the recommendations to your unique business, so your remediation plan includes addressing your most important security gaps first, not last.

4. We have software where you can visualize your analysis and remediation plan and track project management to shore up gaps and address areas in violation of HIPAA. This comes in really handy if you are ever audited.

Once we conduct your SRA, we’ll get you a draft report that we’ll go over line by line with you. We’ll make sure it’s addressing your high, medium and low risks, and that it’s presented in the language that best serves your team from layman’s terms to deeply technical. We’ll provide you with personalized, realistic, achievable next steps for your organization.

Healthcare has never been a fit for any one-size-fits-all solution.

It’s not a huge investment of your time or money to have a solid third-party Security Risk Assessment. It can be a huge investment of both your time and money if you decide not to.

Here’s a link to a recent webinar I hosted about this topic. I think it offers up some great advice you can share with your team to better understand what an SRA measures, and why that matters.

Reach out to me today to learn more and schedule a consultation. Let’s find your security gaps before someone else does.

Request a Consultation

Never miss an update

Subscribe to get our monthly newsletter

Thank you for signing up! Be on the lookout for our updates