{"id":1753,"date":"2012-02-06T00:00:00","date_gmt":"2012-02-06T00:00:00","guid":{"rendered":"http:\/\/otava.test\/five-questions-to-ask-your-business-associates-3-policies-technologies\/"},"modified":"2012-02-06T00:00:00","modified_gmt":"2012-02-06T00:00:00","slug":"five-questions-to-ask-your-business-associates-3-policies-technologies","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/","title":{"rendered":"Five Questions to Ask Your Business Associates: #3 Policies &#038; Technologies"},"content":{"rendered":"<div>\n<p>Our third most important question to a Business Associate is:<\/p>\n<p><em><strong>What policies and technologies are used to protect my applications and PHI data?<\/strong><\/em><\/p>\n<\/div>\n<div>\n<p>Neither HIPAA nor HITECH call for specific technical measures to assure PHI data is available, accurate and secure. However, there are still basic technologies and practices that indicate a culture of security awareness and proficiency. After you review the BA\u2019s independent <a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/hipaa-compliant-cloud\/\">HIPAA audit<\/a> report, ask about these data security technologies.<\/p>\n<p>In our case, as a hosting provider, the\u00a0<strong>minimum server security requirements<\/strong>\u00a0to meet <a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/hipaa-compliant-cloud\/\">HIPAA compliance<\/a> are:<\/p>\n<ul>\n<li>Virtual or Dedicated Firewall<\/li>\n<li><a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/data-protection\/cloud-backup\/\">Backup<\/a><\/li>\n<li>Antivirus<\/li>\n<li>OS Patch Management<\/li>\n<\/ul>\n<p><strong>We also recommend:<\/strong><\/p>\n<ul>\n<li>Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access<\/li>\n<li>Separate database and web servers for production<\/li>\n<li>Separate test server (can use one for web and DB but not same as production)<\/li>\n<li><a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/data-protection\/cloud-backup\/\">Offsite data backup<\/a> at the minimum, ideally a warm-site disaster recovery paradigm (easiest for cloud servers)<\/li>\n<li><a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/cloud-security\/\">SSL certificates<\/a> and HTTPS for all web-based access to PHI (protected health information)<\/li>\n<li>Private IP addresses<\/li>\n<\/ul>\n<p><strong>Is encryption required?<\/strong><br \/>\nWe are asked this repeatedly, and the answer is \u201cNo, but it\u2019s a darn good idea.\u201d Encryption is usually handled at the software application level, so if you are working with a Business Associate who is providing software, ask how they address it in the application. If you are putting your own software on a server, you&#8217;ll undoubtedly have taken encryption into account. Encryption requires decryption prior to use which is computationally expensive, so you can\u2019t just encrypt everything on the server. The best tools and methods depend on the application, operating system and usage patterns. Look for the following best practices:<\/p>\n<ul>\n<li>Always use SSL for web-based access of any sensitive data (personally identifying or medical information)<\/li>\n<li>Name, SSN, diagnosis, addresses, prognosis etc. and other sensitive information within an EMR (electronic medical records) system should be encrypted in the database using techniques and mechanisms known only to a select few.<\/li>\n<li>Content such as images or scans should be encrypted and contain no personally identifying information.<\/li>\n<\/ul>\n<p><strong>Important HIPAA policies to ask about:<\/strong><\/p>\n<ul>\n<li>Documentation of data management, security, training and notification plans (every employee should have regular HIPAA security training)<\/li>\n<li>Clients should use a password policy for their access<\/li>\n<li>Encrypt PHI data whether it\u2019s in a database or in files on the server<\/li>\n<li>Do not use public FTP (File Transfer Protocol) to move files<\/li>\n<li>Only use VPN (virtual private network) access for remote access<\/li>\n<li>Login retry protection in their application<\/li>\n<li>Documentation of a DR (<a href=\"https:\/\/otavawebsite.wpengine.com\/solutions\/data-protection\/disaster-recovery-as-a-service\">disaster recovery<\/a>) plan<\/li>\n<\/ul>\n<p>Next week, we\u2019ll talk about important questions to ask about disaster preparedness and how long it will take for you to access your PHI again in the event disaster strikes.<\/p>\n<p>Are you going to HIMSS 12 in Las Vegas, Feb. 20-24? If so, stop by our Booth (#13528) and say hello! Online Tech will be <a href=\"https:\/\/www.onlinetech.com\/resources\/events\/seminars\/online-tech-to-exhibit-at-himss-12\">exhibiting at HIMSS<\/a> with our\u00a0<a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/hipaa-compliant-cloud\/\">HIPAA compliant hosting<\/a>\u00a0solutions for healthcare and related organizations.<\/p>\n<p>References:<br \/>\n<a href=\"https:\/\/otavawebsite.wpengine.com\/reference\/hipaa-faq\/\">HIPAA FAQ<\/a><br \/>\n<a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/hipaa-compliant-hosting\/hipaa-faq#What%20services%20from%20Online%20Tech%20help%20make%20me%20compliant?\">What Services From Online Tech Help Make Me Compliant?<\/a><br \/>\n<a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/encrypting-data-to-meet-hipaa-compliance\/\">Encrypting Data to Meet HIPAA Compliance<\/a><br \/>\n<a href=\"https:\/\/searchhealthit.techtarget.com\/tip\/How-to-comply-with-the-HIPAA-Security-Rule\">SearchHealthIT: How to Comply With the HIPAA Security Rule<\/a><br \/>\n<a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/hipaa-compliant-hosting\/hipaa-resources-policies-procedures-and-training-materials\">More HIPAA Resources<\/a><\/p>\n<p>For\u00a0<a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/hipaa-compliant-cloud\/\">HIPAA Compliant hosting<\/a>, call 877.740.5028 or email\u00a0<a href=\"mailto:contactus@onlinetech.com\">contactus@onlinetech.com<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Our third most important question to a Business Associate is: What policies and technologies are used to protect my applications and PHI data? Neither HIPAA nor HITECH call for specific technical measures to assure PHI data is available, accurate and secure. However, there are still basic technologies and practices that indicate a culture of security awareness and proficiency. After you review the BA\u2019s independent HIPAA audit report, ask about these data security technologies. In our case, as a hosting provider, the\u00a0minimum server security requirements\u00a0to meet HIPAA compliance are: Virtual or Dedicated Firewall Backup Antivirus OS Patch Management We also recommend: Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access Separate database and web servers for production Separate test server (can use one for web and DB but not same as production) Offsite data backup at the minimum, ideally a warm-site disaster recovery paradigm (easiest for cloud servers) SSL certificates and HTTPS for all web-based access to PHI (protected health information) Private IP addresses Is encryption required? We are asked this repeatedly, and the answer is \u201cNo, but it\u2019s a darn good idea.\u201d Encryption is usually handled at the software application level, so if you are&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1753","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Five Questions to Ask Your Business Associates: #3 Policies &amp; Technologies | OTAVA<\/title>\n<meta name=\"description\" content=\"There are basic technologies and practices that indicate a culture of security awareness and proficiency. Here&#039;s what we recommend.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Five Questions to Ask Your Business Associates: #3 Policies &amp; Technologies\" \/>\n<meta property=\"og:description\" content=\"There are basic technologies and practices that indicate a culture of security awareness and proficiency. Here&#039;s what we recommend.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-02-06T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Five Questions to Ask Your Business Associates: #3 Policies &#038; Technologies\",\"datePublished\":\"2012-02-06T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\"},\"wordCount\":540,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\",\"url\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\",\"name\":\"Five Questions to Ask Your Business Associates: #3 Policies & Technologies | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2012-02-06T00:00:00+00:00\",\"description\":\"There are basic technologies and practices that indicate a culture of security awareness and proficiency. Here's what we recommend.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Five Questions to Ask Your Business Associates: #3 Policies &#038; Technologies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Five Questions to Ask Your Business Associates: #3 Policies & Technologies | OTAVA","description":"There are basic technologies and practices that indicate a culture of security awareness and proficiency. Here's what we recommend.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/","og_locale":"en_US","og_type":"article","og_title":"Five Questions to Ask Your Business Associates: #3 Policies & Technologies","og_description":"There are basic technologies and practices that indicate a culture of security awareness and proficiency. Here's what we recommend.","og_url":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/","og_site_name":"OTAVA","article_published_time":"2012-02-06T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Five Questions to Ask Your Business Associates: #3 Policies &#038; Technologies","datePublished":"2012-02-06T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/"},"wordCount":540,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/","url":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/","name":"Five Questions to Ask Your Business Associates: #3 Policies & Technologies | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2012-02-06T00:00:00+00:00","description":"There are basic technologies and practices that indicate a culture of security awareness and proficiency. Here's what we recommend.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/five-questions-to-ask-your-business-associates-3-policies-technologies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Five Questions to Ask Your Business Associates: #3 Policies &#038; Technologies"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1753","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1753"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1753\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1753"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1753"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1753"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1753"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}