Business associates must maintain a written policy for how they keep client’s PHI secure. How do they transmit data to/from your practice? If they download it from your practice management system – such as a billing service would – is it encrypted during data transmission? If data is stored on removable or temporary storage devices, how are these accessed, stored, protected, and destroyed when no longer needed? How is printed PHI stored, transferred, maintained, and disposed of and who has access? A vendor should be able to answer these and other security questions, and provide their security policy and procedure for review.