Under the HIPAA Privacy Rule, covered entities must enter into a signed business associate agreement with any business associate they hire, that may come into contact with protected health information (PHI). However, a covered entity does not satisfy its legal obligations under HIPAA merely by signing the agreement. Instead, a covered entity is required to evaluate whether the business associate can properly protect PHI, before any agreement is entered into. Business associate agreement due diligence requires covered entities to assess the risk of a would-be business associate’s failing to adequately safeguard patient information.

Business Associate Agreement Due Diligence: What is Technical Due Diligence?

Under HIPAA, a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  A member of the covered entity’s workforce is not a business associate. The types of functions or activities that may make a person or entity a business associate include payment or healthcare operations activities, as well as other functions or activities regulated by the HIPAA rules. 

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

Technical due diligence consists of vetting a potential business associate vendor before hiring the vendor to perform healthcare functions. Technical due diligence is the first step in business associate agreement due diligence. Technical due diligence consists of a covered entity evaluating a potential vendor, to determine whether that vendor has safeguards and policies in place that are sufficient to protect the PHI or ePHI that the covered entity will submit to the vendor, and vice versa.

The failure to conduct technical due diligence can be costly. On March 3, 2020, OCR announced that it had entered into a settlement agreement with a Utah gastroenterology practice. The settlement, in the amount of $100,000, was reached, in part, because the practice allowed a business associate (an EHR company) to create, receive, maintain, or transmit ePHI on the practice’s behalf, without first obtaining satisfactory assurances that the EHR company would appropriately safeguard the ePHI.   

How Can a Covered Entity Perform Technical Due Diligence?

The HIPAA rules do not call for a specific type of evaluation. That said, a risk questionnaire is an effective evaluation tool. Through a written risk questionnaire, a covered entity asks a series of “yes” or “no” questions of the potential business associate. The questions ask the business associate, in detail, about what security measures it has in place, and what security policies and procedures it has in place. 

Once a covered entity gives the questionnaire to a would-be business associate, the business associate answers the questions. There are, at this point, two classes of business associates – those who return a completed questionnaire to the business associate and those who do not. A vendor that either returns an incomplete questionnaire, or that does not return the questionnaire at all, has not provided the covered entity with enough information to determine whether that vendor can properly safeguard PHI or electronic protected health information (ePHI).

Covered entities should not be doing business with these vendors. If a covered entity ends up signing a business associate agreement with this kind of vendor anyway, with the questions remaining unaddressed, the covered entity has failed to conduct its technical due diligence. Failure to conduct due diligence places the security of patient information at risk. If there is a data breach stemming from the business associate’s failure to provide one or more safeguards, and that failure could have been prevented by the covered entity’s refusing to work with the business associate in the first place, the covered entity is subject to a fine.

Vendors who do return completed questionnaires to covered entities, have given the covered entity enough information for the covered entity to assess whether the vendor is a good fit. If the answers to the risk questionnaire reveal that the vendor will provide adequate PHI or ePHI safeguards, the covered entity can use the vendor as a business associate. If, however, the vendor returns the completed questionnaire, and, upon reviewing the answers, the covered entity determines the vendor is not capable of providing adequate security measures, the covered entity should decline to do business with the vendor. 

Where Can I Find a Risk Questionnaire?

Covered entities can begin the technical due diligence process by obtaining a HIPAA risk assessment questionnaire.  This set of questions should be completed by all vendors with which the covered entity seeks to enter into a business associate agreement.

Business Associate Agreement Due Diligence: Is Documentation Needed?

Once the covered entity has reviewed the results of the questionnaire, and has made the appropriate decision (hire or not hire) based on the answers, the covered entity should ensure it has documented the results of the evaluation of the would-be business associate. In other words, the covered entity cannot simply conduct the due diligence; it must be able to provide documentation, in the event of an HHS audit, that proves the evaluation was made. If the covered entity provides sufficient documentation, the covered entity has satisfied its due diligence obligations. Once the covered entity has done so, OCR will then focus on what security measures the business associate indicated it would take in the questionnaire, but failed to take in reality. 

After a covered entity performs its technical due diligence, it can, if appropriate, enter into a business associate agreement. The agreement must, among other things, establish each party’s security and privacy obligations.The agreement must also contain language that indicates what both the covered entity’s and business associate’s  liabilities are in the event of a breach.

Business Associate Due Diligence: For How Long is Diligence Required?

Technical due diligence does not end upon signing the business associate agreement. HIPAA requires covered entities to monitor business associate security practices to determine whether covered entities should continue to do business with the vendor in the future.

Contracts between a CE and BA limit liability for both parties. A business associate agreement (BAA) is required by law. The BAA must be customized to fit the relationship between the vendor and CE. A BAA establishes the security and privacy requirements for each party and lays out who is required to do what in the event of a breach. Annual completion of a risk assessment by the covered entity ensures that the vendor is still properly safeguarding PHI.