The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009, makes each Business Associate (BA) of a covered entity directly liable for compliance surrounding certain requirements of the HIPAA Rules. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) made a final rule in 2013. The final rule modified the HIPAA rules regarding privacy, security, breach notification and enforcement (Rules) to include provisions of HIPAA rules that apply directly to BAs, which also makes BAs directly liable for those provisions.

What Is a Business Associate Under HIPAA?

Healthcare organizations – or providers, or covered entities – must place their trust in vendors, which are known as Business Associates. BAs provide covered entities with valuable products and services.

In relation to HIPAA, a BA is defined as any company that may have access to Protected Health Information (PHI) while doing business with the healthcare provider.

Following are a few types of businesses that may serve as BAs to healthcare organizations:

  • Law firms,
  • CPAs,
  • Consultants,
  • Claims administrators,
  • Pharmacy benefit managers,
  • Outsourced IT professionals with service organizations.

Further, there are times when a BA may outsource a portion of their own work or tasks for the healthcare provider to another vendor, which may also be referred to as a subcontractor. In that case, the subcontractor would also become a BA if their operations come into contact with PHI.

What Are Covered Entities That Might Engage a BA?

Covered entities are any healthcare organizations or providers, individuals or agencies under HIPAA that must adhere to and comply with the requirements laid out in the Rules that are set to protect the privacy and security of healthcare information. These entities must ensure certain rights for patients regarding their PHI. Any time that a healthcare provider engages a BA to assist in carrying out its standard healthcare activities and functions, it must draw up a contract with the BA called a Business Associate Agreement (BAA) that provides important products and services.

A few examples of covered entities include the following types of health plans, providers, and clearinghouses:

Health Plans

  • Health insurance companies,
  • Employer-sponsored health plans,
  • Health maintenance organizations, also known as HMOs,
  • Government healthcare programs like Medicare and Medicaid.

Healthcare Providers

Providers that electronically submit HIPAA documentation and transactions, such as claims, are covered. Providers may include the following:

  • Doctors,
  • Clinics,
  • Psychologists,
  • Dentists,
  • Chiropractors,
  • Nursing homes,
  • Pharmacies.


Clearinghouses are third party systems hired to interpret claim data between provider systems and insurance payers. It is a private entity, such as a repricing company or billing service that processes non-standard transactions and data into more decipherable and standard data elements and transactions.

What Does the Business Associate Agreement Entail?

The BAA contract outlines details as to why the BA must have access to the client organization’s PHI. It must also include details about how the BA will take the appropriate measures to safeguard PHI. Additionally, the BAA contract includes a protocol that the BA plans to enact in the event of a data breach or some other breach in privacy that may compromise PHI.

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


When Is a BA Be Directly Liable Under HIPAA Rules?

Over the years, BAs have been uncertain about which HIPAA provisions actually apply to them and their business. Many Business Associates have thought, incorrectly, that HIPAA Privacy and HITECH Breach Notification Rules do not apply to them because they are not considered covered entities. It is easy to see how well-intentioned businesses could end up in breach of contract and in a great deal of trouble. Our goal is to supply updated facts to keep PHI and BAs safe.

In May 2019, the HHS issued the following fact sheet that lays out the 2013 final rule and provisions for which BAs are liable, per the HHS Direct Liability of Business Associates Factsheet.

  1. Failure to provide the Secretary with various documentation that includes records and compliance reports. This point also includes failure to cooperate with complaint investigations and compliance reviews that grant access to the Secretary to access and review information, including Protected Health Information (PHI), pertinent to determining compliance.
  2. Failure to comply with requirements of the HIPAA Security Rule, which outlines the necessary safeguards for confidentiality, integrity, and availability of electronic PHI (ePHI).
  3. Failure to disclose a copy of ePHI to the appropriate party. Parties may include the covered entity, the individual, or the individual’s designated party, which is specified in the BAA. This requirement serves to satisfy a covered entity’s responsibilities related to the format and form, as well as the time and manner of access to the ePHI.
  4. Failure to make reasonable efforts to limit PHI to the minimum. This effort is meant to protect the PHI from unfettered access while also allowing authorized users access to accomplish only the intended purpose of the use, disclosure, or request.
  5. Failure to provide breach of notification to either another BA or the covered entity.
  6. Failure to disclose accounting information in certain circumstances.
  7. Failure to comply with only allowing permissible uses and disclosures of PHI.
  8. Failure to enter into the required and appropriate BAAs with subcontractors, which are additional vendors to the BAs that may potentially handle PHI in any way. This also includes the subcontractor’s failure to comply with the implementation specifications of such agreements.
  9. Failure to take reasonable steps and make reasonable attempts to address a material HIPAA violation or breach of the subcontractor’s BAA.
  10. Taking or making the attempt to take any retaliatory action against any individual, other person or entity for filing a HIPAA complaint, leading or participating in an investigation or another type of enforcement process, or taking an adversarial position or opposing an act or practice that is unlawful under the HIPAA Rules.

Are You Concerned About Your Direct Liability as a Business Associate Under HIPAA?

If you are a Business Associate working with a healthcare provider, you may have additional questions regarding your potential liabilities. The team at I.S. Partners, LLC is here to help you understand the HIPAA Rules and address your obligations, along with the obligations of any subcontractors with whom you work, to keep PHI and your respective businesses and reputation safe.

Call us at 215-675-1400, send us a message or request a quote to learn more about HIPAA Rules and your responsibilities when working as a vendor with healthcare organizations.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top