It is critical for all CEs to address the following issues with their vendors who come in contact with ePHI.
Awareness of the HIPAA Security Rule: Make sure that your BAs understand their responsibility under HIPAA to ensure the security and privacy of your ePHI. Make them aware of their liabilities and penalties for failing to protect your data.
Administrative, Physical and Technical Safeguards in place: Ask your BA for a copy of their Information Security Management Program. This document should explain in detail the security measures in place at the vendor site. This should encompass physical security of their information systems, technology, as well as written policies and procedures in place to safeguard your data
Risk Analysis: Your BA must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their possession, in accordance with HIPAA Security Rule §164.308(a)(1)(ii)(a). You should review the copy of their Risk Analysis Report if possible or at the very least get it in writing that a thorough risk analysis was conducted.
Contingency plan: You need to ensure that your data is safe with your BA in case of a disaster at their location. Suppose their server crashes or they have a fire. Is your data safe? Can they recover it completely and accurately? How soon can they recover it? Discuss their data backup plan, disaster recovery plan and confirm that the BA that your data is properly protected
Workforce training: All BA employees need to be trained in HIPAA compliant policies and procedures. Your BA needs to show evidence of this training.
Business Associate Agreement (BAA): Execute a written BAA with each of your business associate covering all aspects of ePHI security. A sample BAA can be found here
The time covered entities to discuss these issues with their business associates is right now! Studies show that most data breaches occur outside the medical/dental office when data is in the hands of a business associate or a subcontractor. As a covered entity you need to do your due diligence and ensure that your patient data is safe with your business associates.