From 300 to 36: Reducing Hurdles in Business Associate Assessments

Posted by James Schroeder

A Guide to Keeping Business Associate Assessments Complete, Compliant and Short

Business associate assessments are notoriously burdensome and time consuming for both covered entity and the business associate (BA). But the typical 300-question survey can be significantly narrowed by focusing on the most critical and problematic issues.

As a covered entity, a single hospital could have over 100 business associate (BA) agreements. For multi-location and national health systems, that number is exponentially higher. The sheer volume makes performing business associate assessments for every single BA under a covered entity particularly daunting.

Under HIPAA, covered entities must have protocols in place to safeguard protected health information (PHI), which includes documentation of engagements with any BAs. HIPAA “requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.” 1

How do you begin to tackle such a formidable task? Start with assessing your vendors. This process usually entails a survey that BAs must complete and return to the covered entity. In some scenarios, the survey is a generic workbook filled with hundreds of questions. A standardized survey is distributed to all vendors to evaluate risk across various applications, software, and services, aiming to enhance vendor risk management.

However, this “one size fits all” strategy fails to produce the desired result—a comprehensive BA risk assessment. Administering short, compliant business associate assessments is a more practical and effective option. Here’s why.

Challenges with Traditional BA Assessments

Typical business associate assessments can be anywhere from 300 to 1300 questions, depending on the complexity of the business associate and its handling of PHI. These surveys are usually administered via email and a static file such as Excel.

Can you imagine reviewing an Excel file of 300 responses from every single BA on your roster? Can you imagine each of your BAs actually completing that kind of survey in a timely manner?

This type of process is rife with hurdles:

  1. Typical surveys include many questions that don’t add value. The covered entity must perform due diligence to determine if a BA qualifies to provide its solutions or services to the organization. These traditional long surveys are designed to be granular to address any possible scenario. These types of questions may not apply to particular vendors, and therefore are unnecessary.
  2. Survey providers do not offer guidance to the covered entity. Many business associate assessment consultants simply hand over a 300-question survey with little or no guidance on the scope for any given BA. If many of the questions do not apply to certain BAs, how does a covered entity and its vendor partners know which questions to answer without proper consultation?
  3. Using Excel and email to administer surveys is outdated and time consuming. Business associate assessments are notoriously burdensome. Completing several hundred questions in an Excel file is logistically difficult. And, sharing an Excel-based file back and forth via email makes tracking the latest versions even more challenging. It can take BAs several weeks, if not longer, to complete such a task. Now, multiply that by hundreds of BAs—how much time is this costing you and your BAs? What is the administrative burden and is it acceptable?

How to keep BA assessments complete, compliant and short

Business associate assessments over 300 questions are an obstacle, for both the covered entity and its BAs. Covered entities can get the information they need while still performing due diligence to meet the Rules of HIPAA by creating streamlined surveys tailored to each BA.

Read more: What Are the Three Pillars of HIPAA Compliance?

Best practice at ComplyAssistant is 36 questions focused on the most problematic and critical issues. By building smarter surveys, business associate assessments become more flexible and higher levels of vendor compliance are achieved. In this way, you avoid requiring BAs to answer questions that simply don’t apply to them and improve every vendor relationship.

Areas of appropriate administrative, technical and physical safeguards to confirm with your BAs include:

  • Encryption: Do your BAs have appropriate encryption protocols in place for data in transit and for data at rest (maintained in the cloud)?
  • Risk assessments: Have you and your vendors performed solid risk analysis on where your PHI resides, and documented what risks and vulnerabilities are presented by operational, environmental and physical factors?
  • Change management policies and procedures: Do your BAs have these in place, and more important, in writing? Do your vendors have a written information security management policy and process that addresses how information is identified, categorized and controlled throughout its life cycle at that organization?
  • Monitoring downstream BAs: Are your BAs performing assessments and monitoring their own downstream vendors as stringently as they are for their own data and processes?
  • Appropriate destruction and disposition of data: How do your BAs handle data and the hardware or servers on which it resides? Do they contract out for these services, and if so, do their vendors have appropriate safeguards in place?

Business associate assessments are labor intensive and time consuming for both covered entity and the BA. But the typical 300-question survey can be significantly streamlined by tailoring assessments and focusing your survey on the most critical and problematic issues.

Read more on ComplyAssistant’s approach to business associate assessments.

Special thanks to our partner, Krystyna Monticello, Attorney at Oscislawski LLC, for her expert contributions to this post.

  1. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html (sourced 3/19/18)