HIPAA and Business Associates

by Brian Tuttle


D-Day is September 23, 2013

Oh dear sweet lord can’t we just practice medicine…


 It’s me again, Brian Tuttle your old HIPAA compliance buddy with more alarming news.  The new changes in the HIPAA laws for 2013 have a dramatic effect (and could prove costly) not just for Covered Entities but Business Associates, and those who subcontract for a Business Associate as well.

Let’s quickly review exactly what a Business Associate (BA) is.  The new definition set forth by our government states that “a business associate is a person or entity who “on behalf of the covered entity” performs services in which the BA creates, receives, maintains, or transmits Protected Health Information.”  

OK, that’s nice but who would be considered a Business Associate?  Attorneys, medical transcription providers, claims processing, billing service providers, IT consultants, off site data storage providers, accounting, administrative services, financial services, or any other entity that creates, receives, maintains or transmits protected health information.    Notice the word “maintains”.  This is new and very important because even if an entity only “maintains” protected health information they are still considered a business associate and must abide by all the governing HIPAA laws!   Arrrrgh!

Now here’s the really bad news.  As you probably already know, the Office of Civil Rights (OCR) has begun an aggressive auditing campaign against Covered Entities.  Well it doesn’t stop there.  The OCR is auditing Business Associates as well!!   The OCR has made it very clear that civil and monetary penalties will be on the rise for HIPAA violations. – and not just for wrongful disclosure but also for not having the proper mechanisms in place to prevent a future wrongful disclosure!!    The OCR is getting nasty with this and compliance is not suggested as before but is absolutely REQUIRED!

Here is a link to the auditing protocol used by the Feds: http://ocrnotifications.hhs.gov/hipaa.html

Beginning on September 23, 2013 Business Associates will be directly liable for:

  • Failure to comply with the HIPAA Security rule
  • Failure to disclose to HHS as required
  • Failure to provide breach notification to a Covered Entity
  • Wrongful use and disclosure of PHI
  • Failure to maintain the “minimum necessary” standard
  • Failure to maintain a business associate agreement with sub-contractors


Ok so what can you do as a Business Associate to avoid nasty fines and perhaps worse?

  • Conduct a thorough HIPAA Security Risk Assessment covering all 44 implementation specifications of the Rule
  • Create custom written Policies and Procedures for each implementation specification – and have staff trained on them
  • Have a HIPAA specific training program for all staff members
  • Identify any sub-contractors that create, receive, maintain, or transmit PHI
  • Update your Business Associate Agreements
  • Be sure you have a written contingency plan in place

As a Business Associate you should be aware that a covered entity may not do business with you if you haven’t taken the necessary steps for compliance.   And the new changes are going to put the financial burden on YOU for any wrongful disclosures or lack of compliance.

On that note I bid adieu.  Please feel free to contact me with any questions or concerns: brian.tuttle@ingaugehsi.com



Comments are closed.