Four Steps to Secure Your BAs from Breaches

Posted on 3 Aug, 2017 |comments_icon 4|By Elizabeth

Consider conducting security audits to evaluate your BA’s security and privacy practices.

Are your business associates (BAs) ready to respond to a HIPAA breach? When it comes to answering this question, what you don’t know can hurt you.

According a Cyber-Awareness Monthly Update from the HHS Office for Civil Rights (OCR), covered entities (CEs) and BAs should think about how they’ll handle a vendor’s or subcontractor’s breach.

Problem: Not only do a large percentage of CEs believe they will not be notified of security breaches or cyberattacks by their BAs, they also think it’s difficult to manage security incidents involving BAs and impossible to determine if data safeguards and security policies and procedures at their BAs are adequate to respond effectively to a data breach, OCR states.

Solutions: The OCR offers the following tips on making sure that your BAs or subcontractors are prepared for a HIPAA breach or security incident:

  1. Include Specifics in Your BAAs

You should consider defining in your service-level or BA agreements (BAAs) how and for what purposes your BA will use or disclose PHI. This is important so that your BA can report to you any PHI use or disclosure that’s not provided for in your BAA or vendor contract, including breaches of unsecured PHI and any security incidents.

According to the United States Computer Emergency Readiness Team (US-CERT), cybersecurity incidents may include activity such as:

  • Attempts (either failed or successful) to gain unauthorized access to electronic PHI (ePHI) or a system that contains ePHI;
  • Unwanted disruption or denial of service to systems that contain ePHI;
  • Unauthorized use of a system for the processing or storage of ePHI data; and
  • Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.
  1. Identify a Timeframe for Breach Reporting

OCR also advises that you define in your BAA the timeframe in which you expect your BA or subcontractors to report a breach, security incident, or cyberattack. Keep in mind that CEs are liable for untimely breach reporting to affected individuals, as well as to OCR and the media.

Rule of thumb: The quicker the incident is reported, the faster a CE or BA can respond, OCR points out. Reporting an incident rapidly can help minimize damages caused by the security incident, protect and prevent further loss of ePHI, preserve evidence for forensic analysis (if necessary), and regain access to and secure your IT systems.

  1. Define What You Expect in the Incident Report

Consider identifying in your BAAs the type of information that’s required in a breach or security incident report. Your BA or subcontractor should include in such reports:

  • BA name and contact information
  • Description of what happened, including the date of the incident and the date of discovery, if known
  • Description of the types of unsecured PHI involved in the incident
  • Description of what the BA is doing to investigate the incident to protect against any further incidents.
  1. Conduct Security Audits on Your BAs

CEs and BAs alike should train their workforce members on incident reporting. You may also want to conduct security audits and assessments to evaluate your BAs’ or subcontractors’ privacy and security practices. “If not, ePHI or the systems that contain ePHI may be at significant risk,” OCR warns.

To stay abreast of relevant threats, sign up for the OCR’s cyber-awareness updates at

To learn more about business associate breach safeguards—and how to reduce your HIPAA breach dangers, tighten up your electronic health record (EHR) privacy and security, and reassess your risk analysis plan—pick up your copy of TCI’s HIPAA Handbook 2017.



Elizabeth works on an array of projects at TCI, researching and writing about modern reimbursement challenges. Since joining TCI in 2017, she has also covered the nuts and bolts of cybersecurity, compliance with federal laws, and how to tap into the advantages of telehealth services.

More from this author

View More

4 thoughts on “Four Steps to Secure Your BAs from Breaches

  1. I in addition to my friends happened to be viewing the excellent procedures found on the website while quickly I got an awful feeling I never thanked the web blog owner for those tips. All of the young boys became for that reason stimulated to read through them and have now seriously been tapping into those things. Thanks for simply being well kind as well as for pick out this kind of fantastic tips millions of individuals are really desirous to be informed on. Our sincere regret for not expressing appreciation to earlier.

  2. I intended to compose you one little bit of word to help thank you so much once again for these superb opinions you have documented on this site. It was certainly extremely open-handed of you to provide openly all that a number of us would have sold as an ebook to generate some dough for their own end, particularly considering that you might well have done it in the event you decided. Those smart ideas in addition acted as a good way to fully grasp that someone else have the same keenness similar to my very own to learn a lot more with regard to this issue. I know there are lots of more enjoyable situations up front for folks who see your website.

  3. I needed to create you this bit of remark to be able to thank you as before on the unique tactics you have featured at this time. It’s simply strangely open-handed with people like you in giving extensively all that a lot of folks might have advertised for an e book in order to make some profit for their own end, most notably considering the fact that you could have done it in the event you wanted. The suggestions additionally worked to become a good way to fully grasp other individuals have the identical interest much like my very own to see a good deal more pertaining to this issue. I think there are lots of more fun situations in the future for many who check out your blog.

  4. I must voice my appreciation for your kind-heartedness for women who really need assistance with this important concern. Your real dedication to getting the solution around turned out to be exceptionally beneficial and has constantly helped ladies much like me to get to their endeavors. Your own useful information indicates a great deal to me and additionally to my office workers. Thanks a lot; from each one of us.

Leave a Reply

Newsletter Signup