Chat with us, powered by LiveChat

A Balance of Trust: New Guidelines for Business Associates Under HIPAA

trusted partner seal business associate guidelines

The relationship between a covered entity and business associate requires a delicate balance of trust. This balance of trust works because each is invested in the security and protection of personal health information. As a covered entity, it is important to partner with business associates that have a strong security posture with safeguards and controls in place to prevent HIPAA violations and fines.

As a covered entity, there is a heavy responsibility to know how your trusted business associates are using and protecting ePHI. To help better distribute the responsibility between a covered entity and business associate, an update was made to the Final Rule to outline the responsibilities of a business associate and their liable.

On May 24, 2019, the Department of Health and Human Services Office of Civil Rights released a fact sheet that, “Provides a clear compilation of all provisions through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach notification and Enforcement Rules, “HIPAA Rules.””

What changes were made?

In the new fact sheet, there are ten guidelines outlined that business associates can now be held directly liable for if a breach occurs. Below is a summary of the violations:

  1. Failure to provide records and compliance reports, cooperate with investigations and reviews, and permit access to information to determine compliance
  2. Taking retaliatory action against individuals filing a HIPAA complaint
  3. Failure to comply with the Security Rule requirements
  4. Failure to provide breach notification to a covered entity or another business associate
  5. Impermissible use and disclosures of PHI
  6. Failure to disclose a copy of PHI to the covered entity
  7. Failure to make reasonable efforts to limit PHI to minimum necessary
  8. Failure to provide an accounting of disclosures
  9. Failure to enter into business associate agreement with subcontractors that create or receive PHI, and failure to comply with the implementation specifications for such agreements
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractors’ business associate agreement.

What does this mean moving forward?

Because covered entities are responsible for notifying both the Federal Government and those individuals involved in the breach caused by a business associate, it is understandable some anxiety results in trusting others with ePHI. The way a vendor handles ePHI can greatly impact goals for any healthcare organization.

Having a proper HIPAA Security Risk Analysis performed covers basic requirements on how to manage business associates for the covered entity.

More covered entities today are requiring business associates to complete a HIPAA Security Risk Analysis or data security checklist with similar policies, procedures and evidence (e.g. screenshots showing proof of encryption, firewall configuration, data loss prevention and log/alert settings) to be sent for approval prior to signing an agreement and allowing access to ePHI.

These assurances protect the covered entity, the business associate and most importantly the individual’s rights to privacy and security.

How can HIPAA One support the balance of trust?

The complexity of managing multiple business associate agreements and contracts can quickly become unmanageable. However, HIPAA One will be releasing a new tool to help healthcare organizations better manage and track, automate and update these agreements all in one place.

This new Vendor Management System (VMS) is built on HIPAA One’s existing BAA contracting software which was designed to allow healthcare providers better organize contracts and reduce the time, effort, and administrative overhead. Below are the key features of the VMS tool:

  • Automated reminders, tracking, and updates with the option to bulk upload vendor information
  • Straight forward, ready-to-use contract templates (CE-friendly). Edits are easy to perform, and all fields are pre-filled for simpicity
  • Flexible and customizable templates can be grouped by purpose or department. VMS also allows edits to existing legal contracts
  • VMS satisfies security requirement standards by requiring the business associate, vendor or recipient of the contract to upload proof of compliance prior to sending the BAA contract
  • Built-in electronic signatures file the agreements upon signing making it easy to find during audits or contract reviews. All files, communications and actions are logged automatically
  • This tool can integrate with EHR or ERP financial platforms. Additionally, in subsequent HIPAA One Security Risk Analysis, users will have their inquiries pre-filled for questions related to Business Associates

We understand that it takes a lot of trust to partner with business associates and share critical data across the continuum of care. Ensuring each vendor has a standard of security that satisfies requirements is important before allowing a BAA to be signed. If you would like to know more about our Business Associate Agreement tool, or would like to be notified when we release our Vendor Management Solution, please contact us at

Don’t Get Caught! Five Ways to Avoid a Phishing Scam

Bobby Seegmiller Blog Image - Phishing

I love to spend time with my family. Some of our favorite outdoor activities include skiing and mountain biking. Unfortunately, this time of year it is hard to do either activity because the snow is too slushy to ski and the canyon trails are too … [Continue reading]

Am I A Business Associate Under HIPAA? Why Should I Care?

Am I A Business Associate

Back in 2013, when Edward Snowden was in Hong Kong revealing he leaked documents detailing mass-surveillance programs by the U.S. government, the Department of Health and Human Services (HHS) was creating the Final Omnibus Rule. This rule extended … [Continue reading]

HIPAA Compliance for Microsoft Office 365

Organizations in every industry are upgrading to Microsoft Office 365 to improve security. A common concern among healthcare professionals is that using Office 365 and Microsoft Teams exposes an organization to HIPAA violations. If Office 365 is … [Continue reading]

HHS SRA Tool Version 3.0 – The Good, Bad and Ugly

Good Bad Ugly Blog Image

Earlier this month, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT). We have been following the development of this toolkit since … [Continue reading]

Cloud Email Phishing Attacks: A Practical Guide

Email Phishing Blog Image Ed

Attention CIOs, CISOs and IT Administrators! A quick review of the HHS Breaches Over 500 list paints a pretty grim picture of the number of breaches affecting 500 or more individuals. Breaches have been steadily increasing and the culprit is … [Continue reading]

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits … [Continue reading]

Healthcare Continues to Dominate Breach Related Costs

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records. Across the … [Continue reading]

Similar but Different: Gap Assessment vs Risk Analysis

If you've heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how … [Continue reading]

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft. On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR … [Continue reading]