As healthcare organizations face increased risk of breaches that pose privacy and security risks, it’s critical that they recognize the significant role played by their business associates (BAs). Rigorous due diligence is part of the risk analysis conducted by covered entities (CEs) to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information.

It’s crucial that healthcare organizations be detail-oriented and methodical in assessing their BAs, say Anthony Murray, vice president of information technology, and Rita Bowen, vice president of privacy, compliance and HIM policy for MRO, a company that provides products and services to ensure the secure, compliant and efficient exchange of PHI.

Murray and Bowen urge organizations to conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data and its breach prevention practices. In that process IT and security executives should create a list of assessment factors that correlate to the type of data the vendor can access. They believe it’s essential that the vendor meets the following 12 requirements.