STANDARDIZING THE BAA / SECURITY ASSESSMENT
Work with us to make the BAA process Better.
Our goal is to create an open source framework for the BAA process—starting with the security assessment.
We want every BAA process to take less than 3-4 weeks to complete. Based on our research, we found that for startups (and even established entities) the process generally ranges from 4 weeks to 9 months. For a company with 12 months of runway, this timeline is an innovation killer.
At a minimum we want to educate entrepreneurs on the most important and common questions to consider when developing their risk and compliance protocols.
We analyzed hundreds of security assessments to create a standard question set. We put it into a survey for the Together.Health community to analyze. Take our survey and help us identify the top questions.
In the news:
A barrier to innovation for many
Business Associate Agreements and Security Assessments are a barrier to innovation
They create major delays, cost legal and technical capital, and are inconsistent
But we still need to mitigate risk
We surveyed covered entities and vendors
We found significant frustration and waste on both sides.
What are the top questions?
Based on our preliminary research, the following three questions are the most useful for both covered entities and vendors:
Does your product/service use, store or transmit personally identifiable information (PII)?
Do you have an acceptable use policy which clearly defines for all employees the expectation of privacy, requirements for litigation, e-discovery, and legal holds?
Does your system/service support role-based access controls/rights?
And add to our growing data set and list of collaborators: