avatar Christine Arevalo, VP Healthcare Fraud Solutions June 09, 2015 Cyber Security | Data Breach Notification | Data Privacy | Incident Response Subscribe to the ID Experts Blog
Back to blog

HIPAA Business Associate 101: A Primer

This blog is part 1 of a 3 part exploration on healthcare business associates risks. For more read The Art of the Possible: Business Associate Compliance and Cost and Risk By Association: Business Associates Face High Stakes in Healthcare Data Security

Picture this: You’re a small consulting firm and you were hired to do an audit on coding for a healthcare insurance provider. Suddenly your client discovers that patient records have been lost or stolen, they’re investigating the incident, and they contact you to determine whether your firm was a cause of the breach. The questions start, and they want immediate answers: what information you have in your possession, how it’s used, etc. Will you have answers ready? Worse yet, imagine that the finger is pointing at you, and you suddenly find that you may be facing regulatory fines and even patient lawsuits. Sure, you do business with a few healthcare organizations, but you don’t provide medical treatment or even payment processing, and you’re only a small company. How can this be happening to you?

Ponemon Report: Criminals continue to target healthcare data

Welcome to the new world of healthcare privacy. Today, everyone involved in the healthcare industry, even remotely, needs to know their responsibilities regarding data privacy and security because everyone is potentially held accountable by customers, regulators, the courts, and their business partners. Under the Final Rule of HIPAA (the Health Information Portability and Accountability Act), business associates of healthcare organizations (“covered entities” or “CEs” in HIPAA parlance) are being held responsible for following privacy regulations and facing fines if they don’t. The definition of a business associate (BA) has broadened. BAs are now being audited by the Department of Health and Human Services’ Office for Civil Rights (OCR), and a new report from the Ponemon Institute[1] found that business associates’ average cost from a data breach is 1 million dollars. So no matter the size of your business or how far removed you are from the front lines of medical care, you can’t afford not to know your responsibilities and how to handle “protected healthcare information” (PHI). 

Are We a Business Associate?

Chances are, you are a business associate. In all likelihood, when you set up your business arrangement with your client, they will have asked you to sign a business associate agreement (BAA). This clarifies your role (under HIPAA regulations) relative to your client. But in rare cases, you may have a client agreement where they neglected to have you sign a BAA.

If you’re not sure, the short answer is that if you handle patient information that can in any way identify a specific person (what HIPAA calls PHI), then you’re a business associate. As a BA, you are subject to the regulatory requirements of HIPAA and to penalties if you don’t comply. The official definition in the HIPAA Final Rule (also called the Omnibus Rule) says that a BA is any person or organization that:

  • Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an Organized Health Care Arrangement (OHCA) for a regulated function or activity. These include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing.
  • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of protected health information (PHI).

The Department of Health and Human Services (HHS) website says typical business associates of a healthcare organization might include:

  • A third party administrator that assists a health plan with claims processing 
  • A CPA firm whose accounting services to a healthcare provider involve access to protected health information
  • A consultant that performs utilization reviews for a hospital 
  • A healthcare clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer
  • An independent medical transcriptionist that provides transcription services to a physician 
  • A pharmacy benefits manager that manages a health plan’s pharmacist network  

But now the Omnibus Rule has expanded the definition of a BA to also include:

  • Those who store or otherwise maintain PHI, such as an Internet service provider (ISP) or cloud service company
  • Health Information Organizations (HIOs), e-prescribing gateways and others who provide data transmission services to a covered entity and require routine access to PHI
  • Anyone who offers a personal health record to individuals on behalf of a covered entity. (HIPAA regulations now require that individuals have access to their health records.)
  • Subcontractors of business associates if the business associate delegates to the subcontractor a function that involve the creation, receipt, maintenance, or transmission of PHI

The only people and organizations explicitly excluded from the BA designation are employees of a healthcare organization; providers such as doctors with staff privileges at an institution; labs, service providers such as telephone companies or electricians who have very limited exposure to PHI, and companies such as the postal service, shippers, or couriers who are considered “conduits” for PHI.

At this point, if your business works with any healthcare-related organization and is not one of the excluded types, you are probably a BA, and you need to know your responsibilities and risks.

What Is a BAA and Why Do You Want One?

A business associate agreement is a contract between the business associate and the HIPAA covered entity (CE) that the BA works with. The contract contains special language, required by the HIPAA statute. A BAA describes the permitted and required uses of PHI by the business associate, provides that the business associate will not use or disclose PHI except as specified in the contract, requires the business associate to use appropriate safeguards to prevent exposure or unauthorized use of the information.

As a BA, you have direct obligations to federal regulators to follow the Privacy, Security and Breach Notification Rules of the HITECH Act and the Omnibus rule. The importance of your BAA, therefore, is that it clarifies areas where you have to work with your client (the covered entity) under certain circumstances, most specifically, breach notification. If you discover an incident that you think is a data breach, you're obligated to notify your client. Your BAA probably outlines the timeframe required for this notification, and if breach and patient notification are ultimately required, who would bear the costs if you as the BA caused the breach.

As of September 22, 2014, all CEs were required to have these contracts in place with all of their BAs, and that is one of the things that OCR will be checking as it does audits of randomly chosen healthcare organizations over the next few years. In fact, the law now requires that subcontractors with whom BAs share PHI must also have agreements, so there could be a web of agreements between CEs and BAs, between BAs and their subcontractors, and sometimes between the subcontractors themselves.[2]

A special security contract may sound intimidating to a BA that is a mid-sized or smaller business, but having a BA agreement in place is actually a win-win. First, it spells out what the business associate needs to do in order to comply with the HIPAA requirements, and the contracting process may trigger discussions or reviews that lead to improved data security and help prevent future data breaches. Second, knowing exactly what is expected helps a BA maintain a good business relationship with valued customers. If a CE knows of a breach or violation by a BA, the CE is required to take reasonable steps to remediate the breach or end the violation. If that doesn’t happen, they must end the contract. In case a breach does happen, if the BA has been following the terms of the contract, it may help the organization avoid fines for non-compliance and protect itself in case of legal action by its business partner or by the patients affected by the breach.

How to Be a Successful BA

HIPAA (and your BA agreements) will require your organization to put in place three kinds of safeguards for PHI:

  • Administrative: This includes doing a risk analysis to understand what kinds of PHI you have, how you use it, where it could be vulnerable, and what the impact could be if it were lost, stolen, or exposed. Based on the risk analysis, you will develop policies and procedures to protect that PHI and to outline your response in case of a breach or suspected breach.
  • Technical: These are safeguards built into your IT systems and procedures—even the ones you may have outsourced to another vendor such as an application services or network services provider. (Remember that the safeguards may include BA agreements between you and those providers.)
  • Physical: These include measures such as limiting access to your facilities, systems, and data storage areas to authorized personnel, having security policies for use of laptops and mobile devices; and making sure that materials are recovered and access is taken away when someone leaves your organization.

If you are a small or mid-sized organization, as are many BAs, chances are you don’t have data privacy or security experts on staff, and starting on all these measures may be daunting. Fortunately, there is an obvious and cost-effective place to start: the risk analysis. You can bring in expert help for that step, and the results will show you where you are most vulnerable and where to concentrate your efforts and your spending. Guided by the risks, you can address the most critical areas first and then grow your security programs as necessity dictates and as time and budget allow.

PHI security is a lot to take on, especially in this age of cyber-attacks and daily breaches in the news. For the first time, this year’s Ponemon Institute report found that criminal attacks were the number one cause of data breaches in healthcare. Web-borne security attacks caused security incidents for 78 percent of healthcare organizations and 83 percent of BAs. These challenges really can be overwhelming, so it is important to remember that the end goal of all these regulations and contracts is to keep patients safe. A stolen medical identity and resulting fraud can saddle a person with huge medical bills that aren’t theirs, cause denial of coverage and critical care, or lead to life-threatening situations when someone else’s medical information ends up in their records. So while there is work and expense to putting BA agreements and new security and privacy procedures in place, in the end, it will benefit your business, your business partners, and the patients you both serve.


This blog is part 1 of a 3 part exploration on healthcare business associates risks. For more read The Art of the Possible: Business Associate Compliance and Cost and Risk By Association: Business Associates Face High Stakes in Healthcare Data Security

Ponemon Report: Criminals continue to target healthcare data

[1] Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. Ponemon Institute, LLC: 2015.

[2] http://www.mcdonaldhopkins.com/alerts/healthcare-who-is-a-hipaa-business-associate

Back to blog