Q&A: BAA risk managment and security plan

May 18, 2017
Medicare Web

Q. Is a covered entity (CE) required to see a copy of a business associate’s (BA) risk management and security plan? Do we need to have a copy of this in our files?

 

A. There is no stated HIPAA Security Rule requirement that you see and retain your BA’s risk management and security plan but it’s a really good idea, especially if the BA supports a critical component of your operation such as data backup and EHR vendors. HIPAA does require you to be able to demonstrate due diligence and this would be one way to document that you are paying attention to due diligence. 

It’s good practice to require BAs to demonstrate they have implemented sound security, and not just from a technical perspective. It’s also good practice to go back to those BAs and require them to demonstrate ongoing sound security practices. You can substitute your BA’s risk management and security plan for a Service Organization Controls 2, International Standardization Organization 27000, or a HITRUST report. If you go the substitute route, read the report and follow up with your BA if the report notes any medium to high risks, and ask what mitigating steps the BA has taken to address the risks noted in the report.

As a side note, you need to review your BA’s risk management and security plan or a report from a third-party certification body. If risks are noted, you are required to follow up with your BA and have them demonstrate that they mitigated the risk or accepted the risk (and the reason why the risk was accepted). If you don’t, you could be found guilty of willful neglect because you knew of the risk and you didn’t follow up to make sure the risk was addressed.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.

Related Topics: 
HIPAA