Business Associate Assessment Questinnaire


Published on

EHR 2.0 provides consulting services by partnering with leading law firms to assess your business associates based on several key factors:
Corporate size of the BA
Volume of data accessed by BA
Number of facilities serviced by BABA
Type of services provided by BA
Complexity of services provided by BA
Location of BA
Previous data breaches, complaints or incidents involving BA
Our Business Associate Assessment and Monitoring services combines the above guidelines and following guidelines chart to provide an assessment report periodically about your key business associates:

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Associate Assessment Questinnaire

  1. 1. The New Trend in Healthcare ITBusiness Associate Initial Assessment QuestionnaireGoal: This initial business associate assessment questionnaire has been designed to supportthe requirements of the Department of Health and Human Services (HHS), Office for the CivilRights (OCR) and other applicable data privacy laws and regulations. Upon completion of thisassessment questionnaire, a detail assessment questionnaire will be shared, if required, withthe business associate based on the response. It is not to be considered a binding contractualdocument, but only a discovery mechanism to assist in fact-finding between the covered entityand business associate.Scope: Under the HIPAA Privacy and Security Rules health care organizations are required toperform active risk prevention and safeguarding of patient information that are very important topatient privacy. Health care organizations often use the services of a variety of contractors andbusinesses. The HITECH act allows covered entities to disclose the minimum necessary forprotected health information (PHI) to these “business associates”. This should only beallowed if the covered entities obtain satisfactory documented assurances that the businessassociate will use the PHI information only for the required designated business purposes forwhich it was engaged in contract by the covered entity. The business associate mustsafeguard any and all subsequent information from misuse, abuse or unauthorizeddisclosures. The business associate is required to render due diligence to help protect thecovered entity in complying with the covered entity’s duties under the HIPAA Privacy Rule withinthe scope of their normal business processes, operations and services to the covered entity.1. Security policyDo you have formal and documented security policies, standards, plans and procedures?A set of rules and procedures regulating the use of PHI, including its processing, storage,distribution, and presentation. The set of laws, rules, and practices that regulate how anorganization manages, protects, and distributes PHI information.COMMENTS BY BA:2. Change controlDoes your organization have a change control procedure to support your security policy?Changes to the system, network, applications, databases, other system components, andphysical/environmental changes should be monitored and controlled. Changes should beYour source for healthcare IT security and compliance www.ehr20.comEducation * Consulting Services * Toolkit 802-448-2255