Recent healthcare data breaches, like the Accendo Insurance incident affecting 16,090 individuals through their business associate Landmark Admin, show the importance of vendor security auditing. Healthcare organizations must carefully evaluate and monitor their business associates' security practices to protect patient data and maintain HIPAA compliance.
Related: How to secure email communications with third-party vendors
Business associates pose unique security risks to healthcare organizations. According to a PricewaterhouseCoopers study cited by the American Hospital Association, business associate breaches accounted for approximately 55% of all reported data breaches since September 2009. These breaches can be costly, with HIPAA violation fines ranging from $100 to $50,000 per violated record.
HIPAA requires healthcare organizations to obtain satisfactory assurances from their business associates regarding safeguarding protected health information (PHI). This includes written agreements and regular verification of security practices.
A comprehensive technical assessment examines how business associates protect sensitive data. This includes reviewing encryption methods, access controls, and network security measures. Organizations should verify that associates maintain current security patches and updates while following industry best practices for data protection.
Regular compliance checks ensure business associates maintain required security standards. Review their risk assessment procedures, incident response protocols, and staff training programs. Documentation should demonstrate ongoing HIPAA compliance and regular security updates.
Create a risk-based auditing schedule that accounts for the volume and sensitivity of data each associate handles. High-risk vendors may require more frequent assessments, while those with limited data access might need less frequent reviews.
Maintain comprehensive records of all audit activities and findings. This documentation serves multiple purposes: demonstrating due diligence, tracking security improvements, and providing evidence of compliance efforts. Keep detailed communication records with business associates regarding security concerns and remediation efforts.
Go deeper: How to ensure business associates are HIPAA compliant
Pay attention to business associates who show reluctance toward security assessments or delay breach notifications. Outdated systems, incomplete documentation, and inadequate staff training often indicate deeper security issues that require immediate attention.
Request current security policies, incident response plans, training records, and evidence of regular risk assessments.
Conduct on-site assessments when possible, review system logs, and require regular security reports from business associates.
Consider termination if an associate repeatedly fails to meet security requirements, experiences multiple breaches, or shows an unwillingness to address serious security concerns.