The BA Agreement Is Not Sufficient for "Satisfactory Assurances"

April 5, 2016

As I have preached over and over the three pillars of HIPAA compliance are an updated risk assessment, updated policies, and documented security awareness training. Just getting your BAs to sign a BA agreement is not enough.

HHS demands that you get “satisfactory assurances” that the BA is living up to their BA agreement. One simple and cost effective method is taking an on-line security awareness training program that awards a certificate for completion. While this is only one of the three pillars, it is simple and cheap. Cheap as in $20 per person per year.

This documented demonstration of HIPAA compliance goes a long way towards showing that the BA is not in “willful neglect” and that their covered entity or larger business associate is getting those “satisfactory assurances”. While it is important that they take further steps, security awareness training helps inform them of the requirements.

Our on-line security awareness training works like this:

  1. Sign up and give us a list of the names and email addresses of your BAs

  2. We send them a link to an on-line video

  3. They watch the video

4 They take a quiz

  1. They get a certificate of completion

  2. You get “satisfactory assurances” that they are working on HIPAA compliance

For more information contact me, Jack@compliancehelper.com or call me at 866-984-3573, ext 709


Back to News