How to Audit Your Business Associates

You as a covered entity (CE) must have realized by now that your business associates’ (BAs’) activities can jeopardize your organization, especially if you need to share PHI with them — in most instances you will need to do so. The extent to which it is shared as well as the limitations you put on their right to disclosure are discretionary matters which depend on the nature of the business you do with them.

This is a guest post written by Amit Sarkar , President of HIPAA Institute.

For example, a pharmacist who needs to refill your patients’ prescriptions would need more detailed information about the patients’ special needs, especially if they are allergic to any drugs, than would a Durable Medical Equipment (DME) supplier.

Never Lose Sight of This

It has become essential for you to have a HIPAA compliance plan which integrates risk assessment and management. Just as you should train your personnel about the diverse requirements of the HIPAA law, the Security Rule, the Privacy Rule, and HITECH; don’t forget to give your BAs an overview of what they should or shouldn’t be doing regarding the permissible use and disclosure of PHI. You can keep yourself on safe ground by drawing up a comprehensive business associate agreement (BAA) which will spell out clearly the BA’s responsibility to ensure the confidentiality, integrity, availability (CIA) and security of the PHI entrusted to them.

Define Liability Clearly

You must define your BAs’ liability in the unfortunate event of a breach, and impress upon them the steps that need to be taken immediately once the breach has been identified, including notifying you (as a CE) and the regulatory authorities to adhere to the contractual obligation. Sometimes, PHI is compromised without there having been any actual harm or loss of data. There should be clearly outlined policies and procedures to indicate what needs to be done in such cases.

Don’t Wait for an Event; Audit!

A simple way of ensuring that your BAs are HIPAA compliant and that they are honoring the provisions of the BAA, would be to audit them periodically. Monitoring their activities would throw up any gaps in compliance, and even gaps in understanding of what they should not do to ensure there is no accidental disclosure of PHI. While many find audits vexing; this is one area where you must be safe rather than sorry. Audits are to compliance what vaccination is to disease prevention since you would want to prevent any kind of breach or compromise of PHI. In case you’re not sure of what are the parameters of a HIPAA compliance audit; the experts at HIPAA Institute can guide you on what are the especially hazardous areas and needs to be done.

Amit Sarkar


Amit Sarkar is a global HIPAA compliance expert and President of HIPAA Institute with more than two decades of experience in U.S. healthcare and various domains and has globally recognized certifications in quality and compliance. He has handled end-to-end compliance programs related to HIPAA, Information Security, and Regulatory and Statutory compliance of multimillion-dollar organizations, which enjoy a presence across the globe. A Master Black-Belt in Six Sigma and a LEAN champion from GE, he has successfully implemented and led various business revival projects, including two major projects in U.S. healthcare insurance and revenue cycle management domains.

Amit Sarkar - HIPAA Institute