Are Your Business Associates HIPAA Compliant?

Posted by John Dimaggio on Dec 8, 2016 10:24:43 AM

In HIPAA Security

If you are a Covered Entity, you have a vested interest in ensuring your Business Associates are HIPAA compliant. The Office for Civil Rights (OCR) has recently increased its scrutiny of Business Associates, as evidenced by several highly publicized HHS Resolution Agreements levied against this sector. When a Business Associate is found in violation of HIPAA law, the reputation and public trust of the related Covered Entity is negatively impacted. Furthermore, federal law requires Covered Entities to take reasonable steps to ensure their Business Associates maintain HIPAA compliance. With stakes this high, Covered Entities would do well to ensure they have employed a solid Business Associate Management Program.

A Business Associate is generally defined as an individual or organization, other than a workforce member, who creates, receives, maintains or transmits Protected Health Information (PHI) on behalf of a Covered Entity. Covered Entities are required to execute written contracts with Business Associates governing the use of PHI, obtain satisfactory assurance that the Business Associate will properly safeguard PHI, and take reasonable steps to ensure the Business Associate maintains HIPAA compliance. 

Covered Entities have a legal obligation to closely monitor Business Associates, and act upon any information or evidence that suggests non-compliance by either assisting the Business Associate to correct the issue, or by terminating the business relationship. This mean that, among other things, ensuring your Business Associates implement the administrative, physical and technical safeguards outlined in the Security Rule, comply with the current Notice of Privacy Practices, conduct regular security risk assessments and employ a risk management plan. Business Associates must also execute and enforce written contracts with their subcontractors, and take reasonable steps to ensure those agents safeguard PHI and are HIPAA compliant.

 The actions (or inactions) of a Business Associates can pose serious financial and reputational risks to a Covered Entity, so these partnerships should be closely managed. Framework for a proactive Business Associate Compliance Program includes a complex series of policies, procedures and contractual requirements governing permitted and required uses and disclosures of PHI, use of appropriate safeguards, and assurances concerning an agent’s use and protection of PHI.

Covered Entities should not underestimate the legal complexity of a Business Associate relationship. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to ensure your Business Associates maintain HIPAA compliance. Moreover, it can be very challenging to monitor, analyze and remediate compliance without interrupting your own day to day business operations. Consider hiring a compliance partner to help you navigate the process.


BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH.  Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts.  Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, senior living organizations, homecare, hospice and business associates.  If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at